Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Collaboration-x64.exe

Overview

General Information

Sample name:Collaboration-x64.exe
Analysis ID:1590179
MD5:335fe577cfcd7c2e3d62ca7ae6c92b8f
SHA1:e025f1c339ac4f39134283cb7dff0a2b48e5be6b
SHA256:7b999bd912a71a10f056eb8052a0475efdff781a15b94606138c6525c60665cb
Infos:

Detection

Score:57
Range:0 - 100
Whitelisted:false
Confidence:100%

Compliance

Score:36
Range:0 - 100

Signatures

Drops large PE files
Excessive usage of taskkill to terminate processes
Modifies the windows firewall
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Sigma detected: Suspicious Schtasks Execution AppData Folder
Uses netsh to modify the Windows network and firewall settings
Uses schtasks.exe or at.exe to add and modify task schedules
Binary contains a suspicious time stamp
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected non-DNS traffic on DNS port
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
EXE planting / hijacking vulnerabilities found
Enables debug privileges
Enables security privileges
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains executable resources (Code or Archives)
PE file contains more sections than normal
PE file contains sections with non-standard names
PE file does not import any functions
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Use Short Name Path in Command Line
Stores files to the Windows start menu directory
Too many similar processes found
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

Process Tree

  • System is w10x64
  • Collaboration-x64.exe (PID: 1476 cmdline: "C:\Users\user\Desktop\Collaboration-x64.exe" MD5: 335FE577CFCD7C2E3D62CA7AE6C92B8F)
    • netsh.exe (PID: 1748 cmdline: netsh advfirewall firewall add rule name="Wildix Collaboration" dir=in action=allow program="C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe" enable=yes MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
      • conhost.exe (PID: 1860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • SetupWIService.exe (PID: 2260 cmdline: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true MD5: A7046C3136192E6E7B5180728B3B3B49)
      • cmd.exe (PID: 3988 cmdline: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4484 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 3060 cmdline: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F MD5: 48C2FE20575769DE916F48EF0676A965)
      • cmd.exe (PID: 5192 cmdline: cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5944 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 3720 cmdline: schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F MD5: 48C2FE20575769DE916F48EF0676A965)
          • Conhost.exe (PID: 344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7144 cmdline: cmd /C taskkill /F /IM WIService.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6296 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 6200 cmdline: taskkill /F /IM WIService.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • cmd.exe (PID: 4024 cmdline: cmd /C taskkill /F /IM WIui.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 3740 cmdline: taskkill /F /IM WIui.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • cmd.exe (PID: 3396 cmdline: cmd /C taskkill /F /IM wirtpproxy.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6564 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 6324 cmdline: taskkill /F /IM wirtpproxy.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • cmd.exe (PID: 4552 cmdline: cmd /C taskkill /F /IM wiservice-ui.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 3700 cmdline: taskkill /F /IM wiservice-ui.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • cmd.exe (PID: 3672 cmdline: cmd /C taskkill /F /IM vncsrv.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 2312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 6732 cmdline: taskkill /F /IM vncsrv.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • cmd.exe (PID: 1516 cmdline: cmd /C taskkill /F /IM WildixOutlookIntegration.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 1888 cmdline: taskkill /F /IM WildixOutlookIntegration.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • cmd.exe (PID: 3060 cmdline: cmd /C taskkill /F /IM WildixOutlookSync32.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 3800 cmdline: taskkill /F /IM WildixOutlookSync32.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
          • Conhost.exe (PID: 2024 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 7036 cmdline: cmd /C taskkill /F /IM WildixOutlookSync64.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 6196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • taskkill.exe (PID: 2352 cmdline: taskkill /F /IM WildixOutlookSync64.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • wiservice.exe (PID: 432 cmdline: "C:\Program Files\Wildix\WIService\wiservice.exe" --install_faxprinter MD5: D62710F3678538E483FFC7EA112D7F68)
      • Conhost.exe (PID: 4696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 2708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 2340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • svchost.exe (PID: 5140 cmdline: C:\Windows\system32\svchost.exe -k LocalService -s W32Time MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SetupWIService.exe (PID: 1260 cmdline: C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S /updateRecovery=true MD5: A7046C3136192E6E7B5180728B3B3B49)
    • cmd.exe (PID: 6064 cmdline: cmd /C schtasks /delete /TN "Wildix\WIService failed update recovery" /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2880 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5208 cmdline: schtasks /delete /TN "Wildix\WIService failed update recovery" /F MD5: 48C2FE20575769DE916F48EF0676A965)
      • Conhost.exe (PID: 4656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 6472 cmdline: cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 1316 cmdline: schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 3260 cmdline: cmd /C taskkill /F /IM WIService.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2380 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 6324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 4484 cmdline: taskkill /F /IM WIService.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 1664 cmdline: cmd /C taskkill /F /IM WIui.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 4708 cmdline: taskkill /F /IM WIui.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • Conhost.exe (PID: 4520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 4564 cmdline: cmd /C taskkill /F /IM wirtpproxy.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3492 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 4856 cmdline: taskkill /F /IM wirtpproxy.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 5452 cmdline: cmd /C taskkill /F /IM wiservice-ui.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • cmd.exe (PID: 1624 cmdline: cmd /C taskkill /F /IM vncsrv.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2120 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 2168 cmdline: taskkill /F /IM vncsrv.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • Conhost.exe (PID: 1204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3256 cmdline: cmd /C taskkill /F /IM WildixOutlookIntegration.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6836 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 5732 cmdline: taskkill /F /IM WildixOutlookIntegration.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 6296 cmdline: cmd /C taskkill /F /IM WildixOutlookSync32.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 3968 cmdline: taskkill /F /IM WildixOutlookSync32.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 5668 cmdline: cmd /C taskkill /F /IM WildixOutlookSync64.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • SetupWIService.exe (PID: 4348 cmdline: C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S MD5: A7046C3136192E6E7B5180728B3B3B49)
    • cmd.exe (PID: 5452 cmdline: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 1580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 5980 cmdline: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 3136 cmdline: taskkill /F /IM wiservice-ui.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 2052 cmdline: cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 6004 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • schtasks.exe (PID: 1876 cmdline: schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F MD5: 48C2FE20575769DE916F48EF0676A965)
    • cmd.exe (PID: 1860 cmdline: cmd /C taskkill /F /IM WIService.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 3916 cmdline: taskkill /F /IM WIService.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
      • Conhost.exe (PID: 6524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 6048 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • cmd.exe (PID: 3740 cmdline: cmd /C taskkill /F /IM WIui.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6692 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 7004 cmdline: taskkill /F /IM WIui.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 3364 cmdline: cmd /C taskkill /F /IM wirtpproxy.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 5084 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 5208 cmdline: taskkill /F /IM wirtpproxy.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 4812 cmdline: cmd /C taskkill /F /IM wiservice-ui.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 2864 cmdline: taskkill /F /IM wiservice-ui.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 2712 cmdline: cmd /C taskkill /F /IM vncsrv.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6732 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 5688 cmdline: taskkill /F /IM vncsrv.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 1516 cmdline: cmd /C taskkill /F /IM WildixOutlookIntegration.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 3452 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 7156 cmdline: taskkill /F /IM WildixOutlookIntegration.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 5204 cmdline: cmd /C taskkill /F /IM WildixOutlookSync32.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4376 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 3900 cmdline: taskkill /F /IM WildixOutlookSync32.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • cmd.exe (PID: 3580 cmdline: cmd /C taskkill /F /IM WildixOutlookSync64.exe MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • Conhost.exe (PID: 4100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • taskkill.exe (PID: 7004 cmdline: taskkill /F /IM WildixOutlookSync64.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
    • Conhost.exe (PID: 3900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • Conhost.exe (PID: 4580 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • Conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: Invoke-Obfuscation CLIP+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true, ParentImage: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe, ParentProcessId: 2260, ParentProcessName: SetupWIService.exe, ProcessCommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ProcessId: 3988, ProcessName: cmd.exe
Sigma detected: Invoke-Obfuscation VAR+ Launcher
Source: Process startedAuthor: Jonathan Cheong, oscd.community: Data: Command: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true, ParentImage: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe, ParentProcessId: 2260, ParentProcessName: SetupWIService.exe, ProcessCommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ProcessId: 3988, ProcessName: cmd.exe
Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges
Source: Process startedAuthor: Nasreddine Bencherchali (Nextron Systems): Data: Command: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3988, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ProcessId: 3060, ProcessName: schtasks.exe
Sigma detected: Suspicious Schtasks Execution AppData Folder
Source: Process startedAuthor: pH-T (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3988, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ProcessId: 3060, ProcessName: schtasks.exe
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Program Files\Wildix\WIService\WIService.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe, ProcessId: 2260, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WIService
Sigma detected: Suspicious Schtasks From Env Var Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3988, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F, ProcessId: 3060, ProcessName: schtasks.exe
Sigma detected: Use Short Name Path in Command Line
Source: Process startedAuthor: frack113, Nasreddine Bencherchali: Data: Command: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true, CommandLine: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe, ParentCommandLine: "C:\Users\user\Desktop\Collaboration-x64.exe", ParentImage: C:\Users\user\Desktop\Collaboration-x64.exe, ParentProcessId: 1476, ParentProcessName: Collaboration-x64.exe, ProcessCommandLine: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true, ProcessId: 2260, ProcessName: SetupWIService.exe
Sigma detected: Windows Processes Suspicious Parent Directory
Source: Process startedAuthor: vburov: Data: Command: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 624, ProcessCommandLine: C:\Windows\system32\svchost.exe -k LocalService -s W32Time, ProcessId: 5140, ProcessName: svchost.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_6EE07CE9 CryptUnprotectData,0_2_6EE07CE9
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_6EE07DA3 _wcsicmp,??2@YAPAXI@Z,CryptProtectData,0_2_6EE07DA3
Source: Collaboration-x64.exe, 00000000.00000003.1385936802.0000000005010000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_8af3760b-1
Source: C:\Users\user\Desktop\Collaboration-x64.exeEXE: C:\Users\user\AppData\Local\wildix-collaboration-updater\installer.exeJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeEXE: netsh.exeJump to behavior

Compliance

barindex
EXE planting / hijacking vulnerabilities found
Source: C:\Users\user\Desktop\Collaboration-x64.exeEXE: C:\Users\user\AppData\Local\wildix-collaboration-updater\installer.exeJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeEXE: netsh.exeJump to behavior
Uses 32bit PE files
Source: Collaboration-x64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Creates a directory in C:\Program Files
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix CollaborationJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\uninstallerIcon.icoJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\chrome_100_percent.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\chrome_200_percent.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\d3dcompiler_47.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\ffmpeg.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\icudtl.datJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\libEGL.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\libGLESv2.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\LICENSES.chromium.htmlJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\snapshot_blob.binJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\v8_context_snapshot.binJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\vk_swiftshader.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\vk_swiftshader_icd.jsonJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\vulkan-1.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\Wildix Collaboration.exeJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\localesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\af.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\am.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ar.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\bg.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\bn.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ca.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\cs.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\da.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\de.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\el.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\en-GB.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\en-US.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\es-419.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\es.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\et.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fa.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fi.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fil.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\gu.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\he.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\hi.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\hr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\hu.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\id.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\it.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ja.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\kn.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ko.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\lt.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\lv.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ml.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\mr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ms.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\nb.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\nl.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\pl.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\pt-BR.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\pt-PT.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ro.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ru.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sk.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sl.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sv.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sw.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ta.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\te.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\th.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\tr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\uk.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ur.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\vi.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\zh-CN.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\zh-TW.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resourcesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\app.asarJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\elevate.exeJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modulesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regeditJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\ArchitectureAgnosticRegistry.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\ArchitectureSpecificRegistry.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\JsonSafeTest.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regCreateKey.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regDeleteKey.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regList.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regListStream.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regPutValue.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regUtil.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\util.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\Uninstall Wildix Collaboration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\WildixJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIServiceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\DseaCallControlSdk.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wildix.icoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wiservice.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WisUpdateCheckerTaskX64.xmlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\x-bees.icoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\faxJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\imgprint.gpdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDDTYPE.GDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDNAMES.GPDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDSCHEM.GDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDSCHMX.GDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIDRV.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIDRV.HLPJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIDRVUI.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIRES.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\wfaxport.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwaresJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtBase0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtHeadset0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\resourcesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\resources\cdr.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Common.v4.0.Utilities.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Outlook.v4.0.Utilities.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Uc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Newtonsoft.Json.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Office.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.Sinks.Console.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.Sinks.Debug.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.Sinks.File.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\UC.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\websocket-sharp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wildix-oi.icoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.dll.manifestJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookCommon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.vstoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exe.configJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookSync32.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\dotnet-dump.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\UninstallWIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\proxyex.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwaresJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtBase0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtHeadset0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\UninstallWIService.exeJump to behavior
Creates a software uninstall entry
Source: C:\Users\user\Desktop\Collaboration-x64.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\44138925-f2ba-545d-a77a-222326161a05Jump to behavior
Creates license or readme file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\7z-out\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\LICENSE.electron.txtJump to behavior
PE / OLE file has a valid certificate
Source: Collaboration-x64.exeStatic PE information: certificate valid
Uses new MSVCR Dlls
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile opened: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: Collaboration-x64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Binary contains paths to debug symbols
Source: Binary string: D3DCompiler_47.pdb source: Collaboration-x64.exe, 00000000.00000003.1566249335.0000000004910000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: wiservice.exe, 00000062.00000000.1873773737.00007FF6B3181000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMcrypto\asn1\x_info.ccrypto\pem\pem_info.ccrypto\ocsp\ocsp_lib.c0 source: wiservice.exe, 00000062.00000000.1873773737.00007FF6B3181000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\deploy\win-x64-release\wiservice.pdb: source: wiservice.exe, 00000062.00000000.1873773737.00007FF6B3181000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\projects\src\out\Default\ffmpeg.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.1568113373.0000000004910000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D3DCompiler_47.pdbGCTL source: Collaboration-x64.exe, 00000000.00000003.1566249335.0000000004910000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\electron.exe.pdb source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\vk_swiftshader.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.1588742307.0000000004913000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\deploy\win-x64-release\wiservice.pdb source: wiservice.exe, 00000062.00000000.1873773737.00007FF6B3181000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: unidrv.pdb source: wiservice.exe, 00000062.00000003.1888297725.000002E1434F7000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059CC
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_004065FD FindFirstFileW,FindClose,0_2_004065FD
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 7_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_00405C49
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 7_2_00406873 FindFirstFileW,FindClose,7_2_00406873
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 7_2_0040290B FindFirstFileW,7_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 18_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,18_2_00405C49
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 18_2_00406873 FindFirstFileW,FindClose,18_2_00406873
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 18_2_0040290B FindFirstFileW,18_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 20_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,20_2_00405C49
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 20_2_00406873 FindFirstFileW,FindClose,20_2_00406873
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 20_2_0040290B FindFirstFileW,20_2_0040290B
Source: global trafficTCP traffic: 192.168.2.7:64709 -> 1.1.1.1:53
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: time.windows.com
Source: global trafficDNS traffic detected: DNS query: feedback.wildix.com
Source: global trafficDNS traffic detected: DNS query: crt.sectigo.com
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.css
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://.jpg
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1085
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1423136
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1423136dumpTranslatedShadersWrite
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1452
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1452expandIntegerPowExpressionsThe
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1512
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1637
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/1936
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2046
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2152
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2152skipVSConstantRegisterZeroIn
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2162
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2273
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2517
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2894
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2970
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/2978
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3027
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3078
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3205
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3206
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3246
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3246allowClearForRobustResourceInitSome
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3452
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3498
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3502
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3577
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3584
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3586
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3623
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3624
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3625
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3682
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3682allowES3OnFL100Allow
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3729
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3832
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3862
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3965
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3970
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/3997
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4214
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4267
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4324
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4384
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4405
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4428
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4551
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4633
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4646
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4722
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/482
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4836
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4901
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/4937
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5007
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5007disableDrawBuffersIndexedDisable
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5055
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5061
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5281
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5371
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5375
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5421
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5430
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5469
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5535
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5577
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5658
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5658forceGlErrorCheckingForce
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5750
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5750forceRobustResourceInitForce-enable
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5881
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5901
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/5906
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6041
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6041forceInitShaderVariablesForce-enable
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6048
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6141
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6248
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6439
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6651
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6692
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6755
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6860
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6876
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6878
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6929
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/6953
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7036
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7036dumpShaderSourceWrite
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7047
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7172
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7279
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7279cacheCompiledShaderEnable
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7370
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7406
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7488
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7527
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7553
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7556
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7724
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7724disableAnisotropicFilteringDisable
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7760
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7760enableShaderSubstitutionCheck
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7761
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/7761disableProgramCachingDisables
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8162
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8172
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8215
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8229
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8280
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8280enableTranslatedShaderSubstitutionCheck
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8291
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8297
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8417
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://anglebug.com/8417uncurrentEglSurfaceUponSurfaceDestroyMake
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1385936802.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://blog.izs.me/)
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692649844.0000000005C2B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692649844.0000000005C2B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmp, wiservice.exe, 00000062.00000003.1888297725.000002E1434F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0w
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmp, wiservice.exe, 00000062.00000003.1888297725.000002E1434F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cevcsca2021.ocsp-certum.com07
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.google.com/p/python-gflags/
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://code.google.com/p/smhasher/
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/1094869
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/110263
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/1144207
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/1171371
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/1181068
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/1181193
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/1420130
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/1434317
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/1456243
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/308366
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/403957
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/550292
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/565179
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/642227
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/642605
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/644669
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/650547
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/672380
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/709351
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/797243
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/809422
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/830046
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/883276
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/927470
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/941620
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crbug.com/941620allowTranslateUniformBlockToStructuredBufferThere
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2542702950.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca.crl0k
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmp, wiservice.exe, 00000062.00000003.1888297725.000002E1434F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctnca2.crl0l
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.certum.pl/ctsca2021.crl0o
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692649844.0000000005C2B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692649844.0000000005C2B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2542702950.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ejemplo.com
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/common
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://exslt.org/commonnode-set..
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://google.github.io/snappy/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://html4/loose.dtd
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://icl.com/saxon
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://icl.com/saxonorg.apache.xalan.xslt.extensions.RedirectxsltDocumentElem:
Source: Collaboration-x64.exe, 00000000.00000002.2542702950.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://int3.de6
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://issuetracker.google.com/200067929
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1385936802.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://json-schema.org/draft-06/schema#
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://json-schema.org/draft-07/schema
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://json-schema.org/draft-07/schema#
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1385936802.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://json-schema.org/schema
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://juliangruber.com
Source: Collaboration-x64.exe, 00000000.00000003.1535838288.0000000006E22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ns.apple.com/HDRGainMap/1.0/
Source: Collaboration-x64.exe, 00000000.00000003.1535838288.0000000006E22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ns.apple.com/pixeldatainfo/1.0/
Source: Collaboration-x64.exe, 00000000.00000003.1535838288.0000000006E22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ns.google.com/photos/1.0/container/
Source: Collaboration-x64.exe, 00000000.00000003.1535838288.0000000006E22000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ns.google.com/photos/1.0/container/item/
Source: Collaboration-x64.exe, 00000000.00000000.1292784815.000000000040A000.00000008.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000007.00000000.1763400110.000000000040A000.00000008.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000000.1786723841.000000000040A000.00000008.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000014.00000000.1788491519.000000000040A000.00000008.00000001.01000000.0000000E.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692649844.0000000005C2B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692649844.0000000005C2B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://opensource.perlig.de/rjsmin/
Source: Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://primer.com
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/cevcsca2021.cer0
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2542702950.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca.cer09
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmp, wiservice.exe, 00000062.00000003.1888297725.000002E1434F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctnca2.cer09
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://repository.certum.pl/ctsca2021.cer0A
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://source.android.com/compatibility)
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2542702950.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com01
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmp, wiservice.exe, 00000062.00000003.1888297725.000002E1434F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com02
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://subca.ocsp-certum.com05
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://tools.ietf.org/html/rfc3339#section-5.6
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://wpad/wpad.dat
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://wpad/wpad.dat..
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1385936802.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1385936802.0000000005010000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2542702950.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmp, wiservice.exe, 00000062.00000003.1888297725.000002E1434F7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.certum.pl/CPS0
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.finesse.demon.co.uk/steven/sqrt.html.
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.gutenberg.org/ebooks/53).
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3C//DTD
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.jclark.com/xt
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.opensource.org/licenses/bsd-license.php
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.pertinentdetail.org/sqrt
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ploscompbiol.org/static/license
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.polymer-project.org
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.portaudio.com
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.softsynth.com
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suitable.com
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suitable.com/tools/smslib.html
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.suitable.com/tools/smslib.html>
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xmlsoft.org/XSLT/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xmlsoft.org/XSLT/namespace
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xmlsoft.org/XSLT/namespacehttp://www.jclark.com/xtxsl:key
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://xmlsoft.org/XSLT/xsltNewExtDef
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ajv.js.org
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://android.com/pay
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://android.googlesource.com/platform/external/puffin
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://android.googlesource.com/platform/external/setupdesign/
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/4674
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/4830
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/4849
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/4966
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/5140
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/5536
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/5845
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/6574
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7161
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7162
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7246
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7246enableCaptureLimitsSet
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7308
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7319
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7320
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7369
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7382
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7405
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7489
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7604
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7714
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7847
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/7899
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/8300
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/8308
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/8315
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/8319
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/8381
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/8417
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://anglebug.com/8471
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons.gcp.gvt2.com/domainreliability/uploadhttps://beacons.gvt2.com/domainreliability/uplo
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons.gvt2.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons2.gvt2.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons3.gvt2.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons4.gvt2.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons5.gvt2.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://beacons5.gvt3.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bit.ly/3rpDuEX.
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bit.ly/3rpDuEX.WebBundleURLLoaderFactory::OnResponseParsedInvalid
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bit.ly/audio-worklet)
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://bit.ly/audio-worklet)ScriptProcessorHandler::ProcessScriptProcessorHandler::Process
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.android.clients.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.bigcache.googleapis.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.doc-0-0-sj.sj.googleusercontent.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.docs.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.drive.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.googlesyndication.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.pack.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.play.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://c.youtube.com/
Source: Collaboration-x64.exe, 00000000.00000003.1659140106.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=es&category=theme81https://myactivity.google.com/myactivity/?u
Source: Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=es-419&category=theme81https://myactivity.google.com/myactivit
Source: Collaboration-x64.exe, 00000000.00000003.1660019584.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=fa&category=theme81https://myactivity.google.com/myactivity/?u
Source: Collaboration-x64.exe, 00000000.00000003.1665829473.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=lv&category=theme81https://myactivity.google.com/myactivity/?u
Source: Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=sl&category=theme81https://myactivity.google.com/myactivity/?u
Source: Collaboration-x64.exe, 00000000.00000003.1682639209.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=ur&category=theme81https://myactivity.google.com/myactivity/?u
Source: Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1659140106.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682065276.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670426386.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1667793153.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1660935742.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668892835.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668517503.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1678959559.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1661227114.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1656683498.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663048464.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1665272661.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655296647.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655736025.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1664160638.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668191893.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherEnabled
Source: Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1659140106.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682065276.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670426386.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1667793153.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663480650.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1660935742.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668892835.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668517503.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1678959559.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1661227114.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1656683498.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663048464.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1665272661.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655296647.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655736025.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1664160638.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668191893.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalGreylistUrl
Source: Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1659140106.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682065276.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670426386.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1667793153.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663480650.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1660935742.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668892835.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668517503.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1678959559.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1661227114.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1656683498.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663048464.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1665272661.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655296647.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655736025.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1664160638.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668191893.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherExternalSitelistUrl
Source: Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1659140106.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682065276.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670426386.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1667793153.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663480650.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1660935742.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668892835.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668517503.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1678959559.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1661227114.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1656683498.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663048464.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1665272661.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655296647.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655736025.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1664160638.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668191893.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlGreylist
Source: Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1659140106.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682065276.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670426386.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1667793153.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663480650.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1660935742.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668892835.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668517503.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1678959559.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1661227114.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1656683498.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663048464.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1665272661.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655296647.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655736025.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1664160638.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668191893.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUrlList
Source: Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1659140106.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682065276.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670426386.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1667793153.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663480650.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1660935742.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668892835.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668517503.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1678959559.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1661227114.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1656683498.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663048464.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1665272661.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655296647.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655736025.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1664160638.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668191893.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromeenterprise.google/policies/#BrowserSwitcherUseIeSitelist
Source: Collaboration-x64.exe, 00000000.00000003.1675746549.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1665829473.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1659140106.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682639209.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1657752820.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1660019584.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682065276.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670426386.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1664651095.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1661844507.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1667793153.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663480650.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682310288.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1683722449.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668892835.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668517503.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682909608.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1681811967.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1658208769.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromestatus.com/features#browsers.chrome.status%3A%22Deprecated%22
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://chromium.googlesource.com/chromium/src/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://clients2.google.com/domainreliability/upload
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://codereview.chromium.org/121173009/
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1042393
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1046462
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1060012
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1091824
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1137851
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1144908
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1144908.
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1144908.The
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1144908Changing
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1154140
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1300575
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1356053
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/1429681
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/593024
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/593024selectViewInGeometryShaderThe
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/650547
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/650547callClearTwiceUsing
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/655534
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/655534useSystemMemoryForConstantBuffersCopying
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/705865
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/710443
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/811661
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/848952
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/927119
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://crbug.com/927119..
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://creativecommons.org/licenses/by/3.0/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://datatracker.ietf.org/doc/draft-ietf-rtcweb-ip-handling.
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.chrome.com/docs/extensions/mv3/service_workers/events/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://developer.chrome.com/docs/extensions/mv3/service_workers/events/Script
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://docs.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ejemplo.com.Se
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://example.org
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://example.orgExpired
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gcp.gvt2.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gcp.gvt6.com/
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Headers
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Headers.git
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Tools
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/KhronosGroup/SPIRV-Tools.git
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Maratyszcza/pthreadpool
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/PortAudio/portaudio/tree/master/src/common
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/SeleniumHQ/selenium/tree/trunk
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/Squirrel/Squirrel.Mac
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/WebBluetoothCG/web-bluetooth/blob/main/implementation-status.md
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/ajv-validator/ajv/issues/889
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/bestiejs/punycode.js
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/brailcom/speechd
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1385936802.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/dcodeIO/long.js.git
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1385936802.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/epoberezkin/json-schema-traverse#readme
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1385936802.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/epoberezkin/json-schema-traverse.git
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/etingof/pyasn1
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/pprof/tree/master/proto
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/private-join-and-compute
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/protobuf
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/re2
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/securemessage
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/sentencepiece
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/google/shell-encryption
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/gpuweb/gpuweb/wiki/Implementation-Status#implementation-status
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/gpuweb/gpuweb/wiki/Implementation-Status#implementation-statusFailed
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/intel/libva
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/isaacs/readable-stream/issues/16
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/jrmuizel/qcms/tree/v4
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/juliangruber/isarray
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/npm/node-semver.git
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/protocolbuffers/protobuf/blob/master/java/lite.md
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/puppeteer/puppeteer/tree/main/packages/puppeteer-core
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/requests/toolbelt
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg)
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg/string_decoder
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/rvagg/through2.git
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/simplejson/simplejson
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/conf/pull/82
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/sindresorhus/electron-store/issues/106
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/epoberezkin
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1385936802.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/sponsors/sindresorhus
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/models
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/tensorflow
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/text.git
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/tensorflow/tflite-support
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/test262-utils/test262-harness-py
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://github.com/typescript-eslint/typescript-eslint/issues/2063#issuecomment-675156492
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/webpack/webpack/issues/196
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/xiph/rnnoise
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://github.com/zorkow/speech-rule-engine
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/4NeimX
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/4NeimXAccess
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/4NeimXOrigin
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/4NeimXgetDescriptor(s)
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/4NeimXreadValue()
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/4NeimXwriteValue()
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/7K7WLu
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/7K7WLuThe
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/7K7WLuWebAudio.AutoplayWebAudio.Autoplay.CrossOriginWebAudio.Autoplay.UnlockType..
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/EuHzyv
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/HxfxSQ
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/HxfxSQOrigin
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/HxfxSQrequestDevice()
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/J6ASzs
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/J6ASzsBluetooth
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/rStTGz
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/xX8pDD
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/xX8pDDplay()
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/ximf56
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://goo.gl/ximf56Iframe
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google-analytics.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://google.com/pay
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://googlevideo.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gvt1.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gvt2.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://gvt6.com/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://html.spec.whatwg.org/multipage/canvas.html#concept-canvas-will-read-frequently
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/155487768
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/161903006
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/166809097
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/184850002
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/187425444
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/220069903
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/220069903emulatePixelLocalStorageEmulate
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/229267970
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/250706693
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/253522366
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/255411748
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/258207403
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/274859104
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/284462263
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/288119108
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/292282210
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/292285899
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/292285899forceMinimumMaxVertexAttributesForce
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/309028728
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/315836169
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://issuetracker.google.com/issues/166475273
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/meta/applicator
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/meta/content
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/meta/core
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/meta/format
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/meta/meta-data
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/meta/validation
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/vocab/applicator
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/vocab/content
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/vocab/core
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/vocab/format
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/vocab/meta-data
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2019-09/vocab/validation
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/meta/applicator
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/meta/content
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/meta/core
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/meta/format-annotation
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/meta/meta-data
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/meta/unevaluated
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/meta/validation
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/schema
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/vocab/applicator
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/vocab/content
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/vocab/core
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/vocab/format-annotation
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/vocab/meta-data
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/vocab/unevaluated
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://json-schema.org/draft/2020-12/vocab/validation
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535838288.0000000006C10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://mathiasbynens.be/notes/javascript-encoding
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://opencollective.com/ajv
Source: Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comCuenta
Source: Collaboration-x64.exe, 00000000.00000003.1665829473.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682065276.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1664651095.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663480650.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663048464.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1665272661.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1664160638.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comGoogle
Source: Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comRa
Source: Collaboration-x64.exe, 00000000.00000003.1659140106.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://passwords.google.comcuenta
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://pay.google.com/authentication
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/billing
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://play.google.com/billinghttps://google.com/payhttps://android.com/payhttps://pay.google.com/a
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://polymer-library.polymer-project.org
Source: Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://primer.com.Uporaba
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/pyparsing
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.org/project/six/
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://pypi.python.org/pypi/pyfakefs
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://quiche.googlesource.com/quiche
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://redux.js.org/
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://semver.org/
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://shorturl.at/drFY7)
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1385936802.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sindresorhus.com
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1385936802.0000000005010000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://sindresorhus.com)
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sites.google.com/site/gaviotachessengine/Home/endgame-tablebases-1
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sizzlejs.com/
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://skia.org/
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://source.corp.google.com/piper///depot/google3/third_party/tamachiyomi/README.md
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sqlite.org/
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ssl.gstatic.com/
Source: Collaboration-x64.exe, 00000000.00000003.1666143922.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1654885833.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1675746549.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1665829473.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1659140106.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682639209.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1680569253.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1660019584.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682065276.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670426386.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1664651095.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1661844507.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1667793153.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663480650.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682310288.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1683722449.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668892835.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668517503.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682909608.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/a/answer/9122284
Source: Collaboration-x64.exe, 00000000.00000003.1663834642.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1666143922.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1654885833.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1675746549.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1665829473.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682639209.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1657752820.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1680569253.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1660019584.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682065276.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670426386.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1681556304.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1664651095.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1661844507.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1667793153.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663480650.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682310288.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1660935742.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1683722449.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869
Source: Collaboration-x64.exe, 00000000.00000003.1659140106.0000000005C11000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/answer/6098869?hl=es
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://swiftshader.googlesource.com/SwiftShader
Source: Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://tools.ietf.org/html/rfc3339#appendix-C
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/manifest/#installability-signals
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://w3c.github.io/manifest/#installability-signalsVideoFrameProviderClientImpl::StartRenderingVi
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692649844.0000000005C2B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://wildix.com/
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.apache.org/licenses/LICENSE-2.0
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bluetooth.com/specifications/gatt/characteristics
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bluetooth.com/specifications/gatt/descriptors
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.bluetooth.com/specifications/gatt/services
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.certum.pl/CPS0
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/4664843055398912
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5093566007214080
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5093566007214080ErrorEventInitG
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5636954674692096
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5644273861001216.
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5682658461876224.
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/5718547946799104
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005388000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/6662647093133312
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005388000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.chromestatus.com/feature/6662647093133312InputDeviceCapabilities
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.khronos.org/registry/
Source: Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.strongtalk.org/
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00405461 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_00405461
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: GetRawInputDatamemstr_523405cb-0
Source: cmd.exeProcess created: 61

System Summary

barindex
Drops large PE files
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile dump: Wildix Collaboration.exe.0.dr 176619800Jump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile dump: Wildix Collaboration.exe0.0.dr 176619800Jump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_100010D0 GetVersionExW,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,lstrcpynW,lstrcmpiW,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcmpiW,CloseHandle,FreeLibrary,0_2_100010D0
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 7_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,7_2_0040352D
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 18_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,18_2_0040352D
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 20_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,20_2_0040352D
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\CachesJump to behavior
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\system32\wfaxport.dll
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\system32\spool\DRIVERS\x64\unidrv.dll
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\system32\spool\DRIVERS\x64\imgprint.gpd
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\system32\spool\DRIVERS\x64\unidrvui.dll
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\system32\spool\DRIVERS\x64\unires.dll
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\system32\spool\DRIVERS\x64\stdnames.gpd
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\system32\spool\DRIVERS\x64\stddtype.gdl
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\system32\spool\DRIVERS\x64\stdschem.gdl
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\system32\spool\DRIVERS\x64\stdschmx.gdl
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile deleted: C:\Windows\Temp\nsd889.tmpJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00406B150_2_00406B15
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_004072EC0_2_004072EC
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00404C9E0_2_00404C9E
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_6EE0ABA90_2_6EE0ABA9
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_6EE085610_2_6EE08561
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_6EE081620_2_6EE08162
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_6EE013780_2_6EE01378
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_6EE0927A0_2_6EE0927A
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_6EE08F7D0_2_6EE08F7D
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_6EE0A83A0_2_6EE0A83A
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_6EE0840D0_2_6EE0840D
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_6EE0AF1C0_2_6EE0AF1C
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_703F1B5F0_2_703F1B5F
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 7_2_0040755C7_2_0040755C
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 7_2_00406D857_2_00406D85
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 7_2_70141BFF7_2_70141BFF
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 18_2_0040755C18_2_0040755C
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 18_2_00406D8518_2_00406D85
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 20_2_0040755C20_2_0040755C
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 20_2_00406D8520_2_00406D85
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 20_2_70101BFF20_2_70101BFF
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess token adjusted: SecurityJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: String function: 0040653D appears 49 times
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: String function: 00402DA6 appears 78 times
Source: UNIRES.DLL.7.drStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: UNIRES.DLL.7.drStatic PE information: Resource name: None type: COM executable for DOS
Source: Wildix Collaboration.exe.0.drStatic PE information: Number of sections : 14 > 10
Source: Wildix Collaboration.exe0.0.drStatic PE information: Number of sections : 14 > 10
Source: UC.dll.7.drStatic PE information: No import functions for PE file found
Source: UNIRES.DLL.7.drStatic PE information: No import functions for PE file found
Source: Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJ vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.1394123648.0000000005876000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.1588742307.0000000004913000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevk_swiftshader.dll, vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpBinary or memory string: OriginalFilenameStdUtils.dllL vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamevk_swiftshader.dll, vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dllb! vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.1566249335.0000000004910000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamed3dcompiler_47.dllj% vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000002.2542702950.0000000005C1F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameElevate.exeH vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameElevate.exeH vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.1579262945.0000000004919000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelibGLESv2.dllb! vs Collaboration-x64.exe
Source: Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameJ vs Collaboration-x64.exe
Source: Collaboration-x64.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: UNIRES.DLL.7.drStatic PE information: Section .rsrc
Source: classification engineClassification label: mal57.evad.winEXE@239/173@3/0
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 7_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,7_2_0040352D
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 18_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,ExitProcess,CoUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,18_2_0040352D
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 20_2_0040352D EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,OleUninitialize,ExitProcess,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,20_2_0040352D
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00404722 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_00404722
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_703F2AAC CreateToolhelp32Snapshot,0_2_703F2AAC
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00402104 CoCreateInstance,0_2_00402104
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix CollaborationJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\wildix-collaboration-updaterJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4304:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6468:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2880:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1580:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6836:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5580:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4100:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4484:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6732:120:WilError_03
Source: C:\Users\user\Desktop\Collaboration-x64.exeMutant created: \Sessions\1\BaseNamedObjects\44138925-f2ba-545d-a77a-222326161a05
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6692:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4376:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4100:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6564:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6196:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3492:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6220:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3452:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5944:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4716:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2120:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1860:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4656:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3640:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:2380:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4672:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6296:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2312:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3452:120:WilError_03
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsr471D.tmpJump to behavior
Source: Collaboration-x64.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIService.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIService.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIui.exe")
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIService.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookIntegration.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wirtpproxy.exe")
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync64.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wiservice-ui.exe")
Source: C:\Windows\SysWOW64\schtasks.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wirtpproxy.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vncsrv.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookIntegration.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIService.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wiservice-ui.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIService.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync32.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync64.exe")
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIui.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIui.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIui.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync64.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wirtpproxy.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wirtpproxy.exe")
Source: C:\Windows\SysWOW64\cmd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync64.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wiservice-ui.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wiservice-ui.exe")
Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vncsrv.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vncsrv.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vncsrv.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookIntegration.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookIntegration.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync32.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync32.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WIui.exe")
Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync64.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "vncsrv.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "WildixOutlookSync32.exe")
Source: C:\Windows\System32\Conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "wirtpproxy.exe")
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: wiservice.exe, 00000062.00000000.1873773737.00007FF6B3181000.00000002.00000001.01000000.00000015.sdmpBinary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: wiservice.exe, 00000062.00000000.1873773737.00007FF6B3181000.00000002.00000001.01000000.00000015.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: SELECT name FROM sqlite_master WHERE type='table';
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile read: C:\Users\user\Desktop\Collaboration-x64.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\Collaboration-x64.exe "C:\Users\user\Desktop\Collaboration-x64.exe"
Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="Wildix Collaboration" dir=in action=allow program="C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe" enable=yes
Source: C:\Windows\SysWOW64\netsh.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S /updateRecovery=true
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exe
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /delete /TN "Wildix\WIService failed update recovery" /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /TN "Wildix\WIService failed update recovery" /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Program Files\Wildix\WIService\wiservice.exe "C:\Program Files\Wildix\WIService\wiservice.exe" --install_faxprinter
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="Wildix Collaboration" dir=in action=allow program="C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe" enable=yesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=trueJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Program Files\Wildix\WIService\wiservice.exe "C:\Program Files\Wildix\WIService\wiservice.exe" --install_faxprinterJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /delete /TN "Wildix\WIService failed update recovery" /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /delete /TN "Wildix\WIService failed update recovery" /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /TN "Wildix\WIService failed update recovery" /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: riched20.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: usp10.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: msls31.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: textshaping.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: textinputframework.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: coreuicomponents.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: coremessaging.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: wintypes.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: windows.staterepositoryps.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: iertutil.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: w32time.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: logoncli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dsrole.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: vmictimeprovider.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\svchost.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: userenv.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: propsys.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: oleacc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: netutils.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeSection loaded: textshaping.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\Collaboration-x64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Source: Uninstall.lnk.7.drLNK file: ..\..\..\..\..\..\..\Program Files\Wildix\WIService\UninstallWIService.exe
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Outlook\Addins\Wildix.AddInJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix CollaborationJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\uninstallerIcon.icoJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\chrome_100_percent.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\chrome_200_percent.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\d3dcompiler_47.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\ffmpeg.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\icudtl.datJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\libEGL.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\libGLESv2.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\LICENSES.chromium.htmlJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\snapshot_blob.binJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\v8_context_snapshot.binJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\vk_swiftshader.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\vk_swiftshader_icd.jsonJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\vulkan-1.dllJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\Wildix Collaboration.exeJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\localesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\af.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\am.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ar.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\bg.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\bn.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ca.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\cs.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\da.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\de.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\el.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\en-GB.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\en-US.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\es-419.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\es.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\et.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fa.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fi.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fil.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\fr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\gu.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\he.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\hi.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\hr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\hu.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\id.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\it.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ja.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\kn.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ko.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\lt.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\lv.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ml.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\mr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ms.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\nb.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\nl.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\pl.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\pt-BR.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\pt-PT.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ro.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ru.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sk.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sl.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sv.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\sw.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ta.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\te.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\th.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\tr.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\uk.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\ur.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\vi.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\zh-CN.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\locales\zh-TW.pakJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resourcesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\app.asarJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\elevate.exeJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modulesJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regeditJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\ArchitectureAgnosticRegistry.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\ArchitectureSpecificRegistry.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\JsonSafeTest.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regCreateKey.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regDeleteKey.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regList.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regListStream.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regPutValue.wsfJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\regUtil.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\resources\node_modules\regedit\vbs\util.vbsJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeDirectory created: C:\Program Files\Wildix Collaboration\Uninstall Wildix Collaboration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\WildixJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIServiceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\DseaCallControlSdk.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wildix.icoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wiservice.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WisUpdateCheckerTaskX64.xmlJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\x-bees.icoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\faxJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\imgprint.gpdJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDDTYPE.GDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDNAMES.GPDJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDSCHEM.GDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\STDSCHMX.GDLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIDRV.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIDRV.HLPJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIDRVUI.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\UNIRES.DLLJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\fax\wfaxport.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwaresJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtBase0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtHeadset0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\resourcesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\resources\cdr.dbJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Common.v4.0.Utilities.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Outlook.v4.0.Utilities.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Microsoft.Office.Uc.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Newtonsoft.Json.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Office.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.Sinks.Console.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.Sinks.Debug.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\Serilog.Sinks.File.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\UC.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\websocket-sharp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\wildix-oi.icoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.dll.manifestJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookCommon.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.vstoJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exe.configJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookSync32.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\dotnet-dump.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\UninstallWIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\proxyex.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwaresJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtBase0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtHeadset0x5e2f.dfuJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDirectory created: C:\Program Files\Wildix\WIService\UninstallWIService.exeJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\44138925-f2ba-545d-a77a-222326161a05Jump to behavior
Source: Collaboration-x64.exeStatic PE information: certificate valid
Source: Collaboration-x64.exeStatic file information: File size 104457632 > 1048576
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile opened: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to behavior
Source: Collaboration-x64.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: D3DCompiler_47.pdb source: Collaboration-x64.exe, 00000000.00000003.1566249335.0000000004910000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: wiservice.exe, 00000062.00000000.1873773737.00007FF6B3181000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /MT /Zl /Gs0 /GF /Gy /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMcrypto\asn1\x_info.ccrypto\pem\pem_info.ccrypto\ocsp\ocsp_lib.c0 source: wiservice.exe, 00000062.00000000.1873773737.00007FF6B3181000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\deploy\win-x64-release\wiservice.pdb: source: wiservice.exe, 00000062.00000000.1873773737.00007FF6B3181000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: C:\projects\src\out\Default\ffmpeg.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.1568113373.0000000004910000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: D3DCompiler_47.pdbGCTL source: Collaboration-x64.exe, 00000000.00000003.1566249335.0000000004910000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\electron.exe.pdb source: Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\vk_swiftshader.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.1588742307.0000000004913000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\projects\src\out\Default\libGLESv2.dll.pdb source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: C:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\deploy\win-x64-release\wiservice.pdb source: wiservice.exe, 00000062.00000000.1873773737.00007FF6B3181000.00000002.00000001.01000000.00000015.sdmp
Source: Binary string: unidrv.pdb source: wiservice.exe, 00000062.00000003.1888297725.000002E1434F7000.00000004.00000020.00020000.00000000.sdmp
Source: Newtonsoft.Json.dll.7.drStatic PE information: 0xDFF1C7F1 [Fri Jan 21 16:48:49 2089 UTC]
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_100010D0 GetVersionExW,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,lstrcpynW,lstrcmpiW,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcmpiW,CloseHandle,FreeLibrary,0_2_100010D0
Source: vulkan-1.dll.0.drStatic PE information: section name: .gxfg
Source: vulkan-1.dll.0.drStatic PE information: section name: .retplne
Source: vulkan-1.dll.0.drStatic PE information: section name: _RDATA
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: .gxfg
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: .retplne
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: .rodata
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: CPADinfo
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: LZMADEC
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: _RDATA
Source: Wildix Collaboration.exe.0.drStatic PE information: section name: malloc_h
Source: vulkan-1.dll0.0.drStatic PE information: section name: .gxfg
Source: vulkan-1.dll0.0.drStatic PE information: section name: .retplne
Source: vulkan-1.dll0.0.drStatic PE information: section name: _RDATA
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: .gxfg
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: .retplne
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: .rodata
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: CPADinfo
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: LZMADEC
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: _RDATA
Source: Wildix Collaboration.exe0.0.drStatic PE information: section name: malloc_h
Source: ffmpeg.dll.0.drStatic PE information: section name: .gxfg
Source: ffmpeg.dll.0.drStatic PE information: section name: .retplne
Source: ffmpeg.dll.0.drStatic PE information: section name: _RDATA
Source: libEGL.dll.0.drStatic PE information: section name: .gxfg
Source: libEGL.dll.0.drStatic PE information: section name: .retplne
Source: libEGL.dll.0.drStatic PE information: section name: _RDATA
Source: libGLESv2.dll.0.drStatic PE information: section name: .gxfg
Source: libGLESv2.dll.0.drStatic PE information: section name: .retplne
Source: libGLESv2.dll.0.drStatic PE information: section name: _RDATA
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .gxfg
Source: vk_swiftshader.dll.0.drStatic PE information: section name: .retplne
Source: vk_swiftshader.dll.0.drStatic PE information: section name: _RDATA
Source: ffmpeg.dll0.0.drStatic PE information: section name: .gxfg
Source: ffmpeg.dll0.0.drStatic PE information: section name: .retplne
Source: ffmpeg.dll0.0.drStatic PE information: section name: _RDATA
Source: libEGL.dll0.0.drStatic PE information: section name: .gxfg
Source: libEGL.dll0.0.drStatic PE information: section name: .retplne
Source: libEGL.dll0.0.drStatic PE information: section name: _RDATA
Source: libGLESv2.dll0.0.drStatic PE information: section name: .gxfg
Source: libGLESv2.dll0.0.drStatic PE information: section name: .retplne
Source: libGLESv2.dll0.0.drStatic PE information: section name: _RDATA
Source: vk_swiftshader.dll0.0.drStatic PE information: section name: .gxfg
Source: vk_swiftshader.dll0.0.drStatic PE information: section name: .retplne
Source: vk_swiftshader.dll0.0.drStatic PE information: section name: _RDATA
Source: wiservice.exe.7.drStatic PE information: section name: _RDATA
Source: wfaxport.dll.7.drStatic PE information: section name: _RDATA
Source: WildixOutlookSync64.exe.7.drStatic PE information: section name: _RDATA
Source: wfaxport.dll.98.drStatic PE information: section name: _RDATA
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_6EE138E0 push eax; ret 0_2_6EE1390E
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 7_2_701430C0 push eax; ret 7_2_701430EE
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 20_2_701030C0 push eax; ret 20_2_701030EE
Source: msvcrt.dll.7.drStatic PE information: section name: .text entropy: 6.892055007396566
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\UninstallWIService.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\fax\UNIRES.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\elevate.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\vulkan-1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Serilog.Sinks.Console.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dllJump to dropped file
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\System32\spool\drivers\x64\unires.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\WildixOutlookCommon.dllJump to dropped file
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\System32\wfaxport.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\Wildix Collaboration.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\WildixOutlookSync32.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Common.v4.0.Utilities.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\libGLESv2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Outlook.v4.0.Utilities.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\UC.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SpiderBanner.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nseA5F.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\fax\wfaxport.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\websocket-sharp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nseA5F.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\fax\UNIDRV.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to dropped file
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\System32\spool\drivers\x64\unidrvui.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Microsoft.Office.Uc.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Office.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Serilog.Sinks.File.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nstA20.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Users\user\AppData\Local\Temp\nskFFA1.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\ffmpeg.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\WildixOutlookSync64.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\vulkan-1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nstA20.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\nsProcess.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\DseaCallControlSdk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Serilog.Sinks.Debug.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\WildixOutlookAddin.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\fax\UNIDRVUI.DLLJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\Wildix Collaboration.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\dotnet-dump.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\libGLESv2.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\StdUtils.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\libEGL.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Users\user\AppData\Local\Temp\nskFFA1.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\wiservice.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\ffmpeg.dllJump to dropped file
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\System32\spool\drivers\x64\unidrv.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\nsis7z.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Program Files\Wildix\WIService\Serilog.dllJump to dropped file
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\System32\spool\drivers\x64\unidrvui.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nstA20.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nseA5F.tmp\System.dllJump to dropped file
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\System32\spool\drivers\x64\unidrv.dllJump to dropped file
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\System32\spool\drivers\x64\unires.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nstA20.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\Windows\Temp\nseA5F.tmp\nsExec.dllJump to dropped file
Source: C:\Program Files\Wildix\WIService\wiservice.exeFile created: C:\Windows\System32\wfaxport.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\7z-out\LICENSE.electron.txtJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\Program Files\Wildix Collaboration\LICENSE.electron.txtJump to behavior

Boot Survival

barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\System32\svchost.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\ConfigJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix Collaboration.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\WildixJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix\WIServiceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix\WIService\Uninstall.lnkJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WIServiceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run WIServiceJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Wildix\WIService\wiservice.exeThread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\UninstallWIService.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\fax\UNIRES.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Newtonsoft.Json.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\elevate.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\vulkan-1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Serilog.Sinks.Console.dllJump to dropped file
Source: C:\Program Files\Wildix\WIService\wiservice.exeDropped PE file which has not been started: C:\Windows\System32\spool\drivers\x64\unires.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\WildixOutlookCommon.dllJump to dropped file
Source: C:\Program Files\Wildix\WIService\wiservice.exeDropped PE file which has not been started: C:\Windows\System32\wfaxport.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\Wildix Collaboration.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\WildixOutlookSync32.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Common.v4.0.Utilities.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\libGLESv2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Outlook.v4.0.Utilities.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\UC.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SpiderBanner.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Windows\Temp\nseA5F.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\fax\wfaxport.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\websocket-sharp.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Windows\Temp\nseA5F.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\fax\UNIDRV.DLLJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dllJump to dropped file
Source: C:\Program Files\Wildix\WIService\wiservice.exeDropped PE file which has not been started: C:\Windows\System32\spool\drivers\x64\unidrvui.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\d3dcompiler_47.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Microsoft.Office.Uc.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Office.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Serilog.Sinks.File.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Windows\Temp\nstA20.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskFFA1.tmp\nsExec.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\ffmpeg.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\WildixOutlookSync64.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\vulkan-1.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\System.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Windows\Temp\nstA20.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\nsProcess.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\DseaCallControlSdk.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\WildixOutlookAddin.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\vk_swiftshader.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Serilog.Sinks.Debug.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\fax\UNIDRVUI.DLLJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\Wildix Collaboration.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\dotnet-dump.exeJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\StdUtils.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Program Files\Wildix Collaboration\libGLESv2.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nskFFA1.tmp\System.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\libEGL.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\ffmpeg.dllJump to dropped file
Source: C:\Program Files\Wildix\WIService\wiservice.exeDropped PE file which has not been started: C:\Windows\System32\spool\drivers\x64\unidrv.dllJump to dropped file
Source: C:\Users\user\Desktop\Collaboration-x64.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\nsis7z.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeDropped PE file which has not been started: C:\Program Files\Wildix\WIService\Serilog.dllJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe TID: 4268Thread sleep count: 56 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe TID: 5464Thread sleep count: 44 > 30Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe TID: 3796Thread sleep count: 77 > 30
Source: C:\Program Files\Wildix\WIService\wiservice.exe TID: 920Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\Collaboration-x64.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_004059CC GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,0_2_004059CC
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_004065FD FindFirstFileW,FindClose,0_2_004065FD
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_00402868 FindFirstFileW,0_2_00402868
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 7_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,7_2_00405C49
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 7_2_00406873 FindFirstFileW,FindClose,7_2_00406873
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 7_2_0040290B FindFirstFileW,7_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 18_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,18_2_00405C49
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 18_2_00406873 FindFirstFileW,FindClose,18_2_00406873
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 18_2_0040290B FindFirstFileW,18_2_0040290B
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 20_2_00405C49 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,20_2_00405C49
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 20_2_00406873 FindFirstFileW,FindClose,20_2_00406873
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeCode function: 20_2_0040290B FindFirstFileW,20_2_0040290B
Source: C:\Program Files\Wildix\WIService\wiservice.exeThread delayed: delay time: 922337203685477
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: VMware
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: (IsLinux() && isVMWare) || (IsAndroid() && isNvidia) || (IsAndroid() && GetAndroidSDKVersion() < 27 && IsAdreno5xxOrOlder(functions)) || (!isMesa && IsMaliT8xxOrOlder(functions)) || (!isMesa && IsMaliG31OrOlder(functions))
Source: Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: IIAMDARMAppleBroadcomGoogleIntelMesaMicrosoftNVIDIAImagination TechnologiesQualcommSamsung Electronics Co., Ltd.VivanteVMwareVirtIOTest
Source: Collaboration-x64.exe, 00000000.00000003.1568113373.0000000004910000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmncVMware Screen Codec / VMware Videovp5On2 VP5vp6On2 VP6vp6fOn2 VP6 (Flash version)targaTruevision Targa imageimage/x-targaimage/x-tga
Source: Collaboration-x64.exe, 00000000.00000003.1692364098.0000000004EAB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-0
Source: Collaboration-x64.exe, 00000000.00000003.1535838288.0000000006F89000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: lgnW2/4/PEZB31jiVg88O8EckzXZOFKs7sjsLjBOlDW0JB9LeGna8gI4zJVSk/BwJVmcIGfE
Source: Collaboration-x64.exe, 00000000.00000003.1568113373.0000000004910000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware Screen Codec / VMware Video
Source: svchost.exe, 00000002.00000002.2540009198.00000199FAA2B000.00000004.00000020.00020000.00000000.sdmp, wiservice.exe, 00000062.00000003.1904139131.000002E14349F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Collaboration-x64.exeAPI call chain: ExitProcess graph end nodegraph_0-8995
Source: C:\Users\user\Desktop\Collaboration-x64.exeAPI call chain: ExitProcess graph end nodegraph_0-8992
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeAPI call chain: ExitProcess graph end nodegraph_7-4488
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeAPI call chain: ExitProcess graph end nodegraph_7-4332
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeAPI call chain: ExitProcess graph end nodegraph_18-3466
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeAPI call chain: ExitProcess graph end nodegraph_20-4302
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeAPI call chain: ExitProcess graph end nodegraph_20-4459
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_100010D0 GetVersionExW,LoadLibraryW,GetProcAddress,LocalAlloc,LocalAlloc,NtQuerySystemInformation,LocalFree,LocalAlloc,FreeLibrary,lstrcpynW,lstrcmpiW,LocalFree,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,lstrlenW,lstrlenA,MultiByteToWideChar,lstrcmpiW,CloseHandle,FreeLibrary,0_2_100010D0
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion

barindex
Excessive usage of taskkill to terminate processes
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /delete /TN "Wildix\WIService failed update recovery" /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /delete /TN "Wildix\WIService failed update recovery" /FJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exeJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknownJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WIService.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wirtpproxy.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM wiservice-ui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM vncsrv.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /C taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /delete /TN "Wildix\WIService failed update recovery" /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exeJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIService.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WIui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wirtpproxy.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM wiservice-ui.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM vncsrv.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookIntegration.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync32.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM WildixOutlookSync64.exe
Source: wiservice.exe, 00000062.00000000.1873773737.00007FF6B3181000.00000002.00000001.01000000.00000015.sdmpBinary or memory string: {}delete server {:#x}new {}x{} {}bpp framebufferdeleting old {}x{} {}bpp framebufferframebuffer size changed {}x{} -> {}x{}unsetting desktop {:#x}couldn't send ERROR messagecouldn't send auth result: %serror sending OK messagewrite timeoutInvalid Security Typeinvalid security type {}read error while receiving security typeclient gone while receiving security typerects data size mismatch ({})couldn't send encoded datacouldn't send raw datacouldn't send rect headercouldn't send update message headerclient gone while sending update message headercouldn't send message headersending {} rectsVNC main thread started SERVER: {:#08x}vnccouldn't send update message rect headerregister RFB encoding: code:{:#x} name:{}Encoding 0x%Xregister RFB message: code:{}couldn't initialize extensioncouldn't send protocol versionserver extension returned FALSE on connectregister RFB pseudo encoding: code:{:#x} name:{}PseudoEncoding 0x%Xclient RFB version: {}.{}invalid RFB clientcouldn't receive client protocol versionclient gone while receiving protocol versionusing auth type {}minor RFB version mismatchRFB version mismatch: server %d.%d, client %d.%dmajor RFB version mismatchcouldn't receive client init messageclient gone while initializingcouldn't send auth typeclient gone while sending auth typecouldn't create output threadcouldn't send server init messageclient gone while sending server init messageframebuffer size: {}x{}couldn't receive SetPixelFormat messageclient gone while receiving SetPixelFormat messagecouldn't receive client messageclient gone while receiving messagefix_color_map_entries is not supportedcouldn't FixColorMapEntries messageclient gone while receiving FixColorMapEntries messagerequested {}bpp pixel formatcouldn't recieve encoding typeclient gone while receiving encoding typecouldn't receive SetEncodings messageclient gone while receiving SetEncodings messageextension failed to process encoding {}recv encoding: {}enabling immediate_update extension for client {}enabling desktop_resize extension for client {}client gone while receiving FramebufferUpdateRequest messageunknown encoding type: {:#x}extension failed to process pseudo encoding {}recv pseudo encoding: {}presscouldn't receive KeyEvent messageclient gone while receiving KeyEvent messagecouldn't receive FrameBufferUpdateRequest messagecouldn't receive PointerEvent messageclient gone while receiving PointerEvent messagerecv key_event: keysym:{:#x} {}unpresscouldn't receive clipboard textclient gone while receiving clipboard textcouldn't receive CutText messageclient gone while receiving CutText messageextension failed to process message {}couldn't receive SetScaleFactor messageclient gone while receiving SetScaleFactor messagerecv clipboard: {}failed to deinit extensionserver extension returned FALSE on disconnectcouldn't join output threadunknown client message {}couldn't send extension dataclient gone while sending extension dataout vncVNC main thread EXIT SERVER: {:#08x}performing full fr
Source: Collaboration-x64.exe, 00000000.00000003.1535838288.0000000006E22000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: ..\..\third_party\webrtc\modules\desktop_capture\win\window_capture_utils.ccFail to create instance of VirtualDesktopManagerChrome_WidgetWin_Progman..\..\third_party\webrtc\modules\desktop_capture\cropping_window_capturer.ccWindow no longer on top when ScreenCapturer finishesScreenCapturer failed to capture a frameWindow rect is emptyWindow is outside of the captured displaySysShadowWebRTC.DesktopCapture.Win.WindowGdiCapturerFrameTimeWindowCapturerWinGdi::CaptureFrame..\..\third_party\webrtc\modules\desktop_capture\win\window_capturer_win_gdi.ccWindow hasn't been selected: Target window has been closed.Failed to get drawable window area: Failed to get window DC: Failed to create frame.Both PrintWindow() and BitBlt() failed.Capturing owned window failed (previous error/warning pertained to that)WebRTC.DesktopCapture.BlankFrameDetectedWebRTC.DesktopCapture.PrimaryCapturerSelectSourceErrorWebRTC.DesktopCapture.PrimaryCapturerErrorWebRTC.DesktopCapture.PrimaryCapturerPermanentErrordwmapi.dllDwmEnableCompositionScreenCapturerWinGdi::CaptureFrame..\..\third_party\webrtc\modules\desktop_capture\win\screen_capturer_win_gdi.ccFailed to capture screen by GDI.WebRTC.DesktopCapture.Win.ScreenGdiCapturerFrameTimedesktop_dc_memory_dc_Failed to get screen rect.Failed to create frame buffer.Failed to select current bitmap into memery dc.BitBlt failed..\..\third_party\webrtc\modules\desktop_capture\win\cursor.ccCreateMouseCursorFromHCursorUnable to get cursor icon info. Error = Unable to get bitmap info. Error = Unable to get bitmap bits. Error = `
Source: wiservice.exe, 00000062.00000000.1873773737.00007FF6B3181000.00000002.00000001.01000000.00000015.sdmpBinary or memory string: couldn't create streamer iteration threadcouldn't join streamer iteration threadjoin streamer iteration threadstreamerC:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\wiservice\integrations\screen-sharing\Streamer.cppWD_REFM_OKWD_REFM_01streamer's pending connection couldn't complete in {}mswaiting for all connections to resolveinvalid wildix auth replywildix auth reply '{}' receivedwildix auth marker '{}' sentXauth failedcouldn't create socketconnecting to {}:{}seqid {:#x} does not match last sent PING request ({:#x})configinvalid peer '{}'%dserver connectedSHUTDOWNcouldn't reconnectE_SCREEN_SHARINGdisplayssetting 'display' parameter to '{}'put message on hold because user does not allow remote controlpongR_SCREEN_SHARINGcouldn't parse message JSONlaunching system process toolsetting 'app' parameter to '{}'setting 'control' parameter to '{}'pinginvalid commandseqidinvalid msgdataunrecognized command '{}'showprocesstoolgetconfigsetparametersdesktop recording is restrictedprocess pending parameters change requestlast iteration took {}ms{}:{}recreating desktop objectsecond lock took {}msdesktop update took {}msdesktop target check took {}msfirst lock took {}mssleep took {}msthird lock took {}msframebuffer update took {}msdesktop resize took {}msconnection goneserver screenupdate took {} msclosing server due to screen resizesize: {}x{}, desktop size: {}x{}exit loopreconnecting due to error, {} attempts left{}ms without PONG replies from clientWIService.DesktopNotifyC:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\wiservice\integrations\screen-sharing\utils\win\WinDesktopConfiguration.cppStarting desktop notifications loopProgmanFinishing desktop notifications loopDesktop configuration changedCouldn't create desktop notification window. CreateWindowExW() failed with error {}Generic PnP MonitorRefreshing desktop configurationRefreshing window configurationButtonNo HMONITOR found for supplied device index {}hi.
Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_6EE0EB20 GetSystemTime,SystemTimeToFileTime,0_2_6EE0EB20
Source: C:\Users\user\Desktop\Collaboration-x64.exeCode function: 0_2_0040338F EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,0_2_0040338F

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Modifies the windows firewall
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="Wildix Collaboration" dir=in action=allow program="C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe" enable=yes
Uses netsh to modify the Windows network and firewall settings
Source: C:\Users\user\Desktop\Collaboration-x64.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="Wildix Collaboration" dir=in action=allow program="C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe" enable=yes

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		31
Disable or Modify Tools		11
Input Capture		1
System Time Discovery		Remote Services11
Archive Collected Data		2
Encrypted Channel		Exfiltration Over Other Network Medium1
System Shutdown/Reboot
CredentialsDomainsDefault Accounts1
Native API		1
DLL Search Order Hijacking		1
DLL Search Order Hijacking		1
Deobfuscate/Decode Files or Information		LSASS Memory2
File and Directory Discovery		Remote Desktop Protocol11
Input Capture		1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
Scheduled Task/Job		11
Windows Service		1
Access Token Manipulation		3
Obfuscated Files or Information		Security Account Manager17
System Information Discovery		SMB/Windows Admin Shares1
Clipboard Data		1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCron1
Scheduled Task/Job		11
Windows Service		1
Software Packing		NTDS1
Security Software Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchd11
Registry Run Keys / Startup Folder		12
Process Injection		1
Timestomp		LSA Secrets21
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
Scheduled Task/Job		1
DLL Side-Loading		Cached Domain Credentials3
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items11
Registry Run Keys / Startup Folder		1
DLL Search Order Hijacking		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
File Deletion		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt23
Masquerading		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron21
Virtualization/Sandbox Evasion		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement
Network Security AppliancesDomainsCompromise Software Dependencies and Development ToolsAppleScriptLaunchdLaunchd1
Access Token Manipulation		Input CaptureSystem Network Connections DiscoverySoftware Deployment ToolsRemote Data StagingMail ProtocolsExfiltration Over Unencrypted Non-C2 ProtocolFirmware Corruption
Gather Victim Org InformationDNS ServerCompromise Software Supply ChainWindows Command ShellScheduled TaskScheduled Task12
Process Injection		KeyloggingProcess DiscoveryTaint Shared ContentScreen CaptureDNSExfiltration Over Physical MediumResource Hijacking

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590179 Sample: Collaboration-x64.exe Startdate: 13/01/2025 Architecture: WINDOWS Score: 57 114 time.windows.com 2->114 116 feedback.wildix.com 2->116 118 crt.sectigo.com 2->118 120 Sigma detected: Invoke-Obfuscation CLIP+ Launcher 2->120 122 Sigma detected: Suspicious Schtasks Execution AppData Folder 2->122 124 Sigma detected: Invoke-Obfuscation VAR+ Launcher 2->124 126 Sigma detected: Schtasks Creation Or Modification With SYSTEM Privileges 2->126 10 Collaboration-x64.exe 12 230 2->10         started        14 SetupWIService.exe 2->14         started        16 SetupWIService.exe 36 2->16         started        18 svchost.exe 2->18         started        signatures3 process4 file5 90 C:\Program Files\...\Wildix Collaboration.exe, PE32+ 10->90 dropped 92 C:\Users\user\AppData\Local\...\nsis7z.dll, PE32 10->92 dropped 94 C:\Users\user\AppData\Local\...\nsProcess.dll, PE32 10->94 dropped 104 17 other files (none is malicious) 10->104 dropped 134 Uses netsh to modify the Windows network and firewall settings 10->134 136 Drops large PE files 10->136 138 Modifies the windows firewall 10->138 20 SetupWIService.exe 14 80 10->20         started        23 netsh.exe 2 10->23         started        96 C:\Windows\Temp\nseA5F.tmp\nsExec.dll, PE32 14->96 dropped 98 C:\Windows\Temp\nseA5F.tmp\System.dll, PE32 14->98 dropped 140 Excessive usage of taskkill to terminate processes 14->140 25 cmd.exe 14->25         started        28 cmd.exe 14->28         started        36 10 other processes 14->36 100 C:\Windows\Temp\nstA20.tmp\nsExec.dll, PE32 16->100 dropped 102 C:\Windows\Temp\nstA20.tmp\System.dll, PE32 16->102 dropped 30 cmd.exe 16->30         started        32 cmd.exe 16->32         started        34 cmd.exe 16->34         started        38 8 other processes 16->38 signatures6 process7 file8 82 C:\Users\user\AppData\Local\...\nsExec.dll, PE32 20->82 dropped 84 C:\Users\user\AppData\Local\...\System.dll, PE32 20->84 dropped 86 C:\Program Files\Wildix\...\wiservice.exe, PE32+ 20->86 dropped 88 30 other files (none is malicious) 20->88 dropped 42 13 other processes 20->42 40 conhost.exe 23->40         started        128 Excessive usage of taskkill to terminate processes 25->128 46 3 other processes 25->46 48 2 other processes 28->48 50 2 other processes 30->50 52 2 other processes 32->52 54 3 other processes 34->54 56 19 other processes 36->56 58 12 other processes 38->58 signatures9 process10 file11 106 C:\Windows\System32\wfaxport.dll, PE32+ 42->106 dropped 108 C:\Windows\System32\spool\...\unires.dll, PE32+ 42->108 dropped 110 C:\Windows\System32\spool\...\unidrvui.dll, PE32+ 42->110 dropped 112 C:\Windows\System32\spool\...\unidrv.dll, PE32+ 42->112 dropped 130 Uses schtasks.exe or at.exe to add and modify task schedules 42->130 132 Excessive usage of taskkill to terminate processes 42->132 60 schtasks.exe 1 42->60         started        62 taskkill.exe 42->62         started        74 19 other processes 42->74 64 Conhost.exe 46->64         started        66 Conhost.exe 48->66         started        68 Conhost.exe 50->68         started        70 Conhost.exe 52->70         started        76 2 other processes 56->76 72 Conhost.exe 58->72         started        signatures12 process13 process14 78 Conhost.exe 60->78         started        80 Conhost.exe 62->80         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Collaboration-x64.exe0%ReversingLabs
Collaboration-x64.exe0%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe0%ReversingLabs
C:\Program Files\Wildix Collaboration\d3dcompiler_47.dll0%ReversingLabs
C:\Program Files\Wildix Collaboration\ffmpeg.dll0%ReversingLabs
C:\Program Files\Wildix Collaboration\libEGL.dll0%ReversingLabs
C:\Program Files\Wildix Collaboration\libGLESv2.dll0%ReversingLabs
C:\Program Files\Wildix Collaboration\vk_swiftshader.dll0%ReversingLabs
C:\Program Files\Wildix Collaboration\vulkan-1.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\DseaCallControlSdk.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Common.v4.0.Utilities.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Outlook.v4.0.Utilities.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Microsoft.Office.Uc.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Newtonsoft.Json.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Office.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Serilog.Sinks.Console.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Serilog.Sinks.Debug.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Serilog.Sinks.File.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\Serilog.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\UC.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\UninstallWIService.exe0%ReversingLabs
C:\Program Files\Wildix\WIService\WildixOutlookAddin.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\WildixOutlookCommon.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exe0%ReversingLabs
C:\Program Files\Wildix\WIService\WildixOutlookSync32.exe3%ReversingLabs
C:\Program Files\Wildix\WIService\WildixOutlookSync64.exe0%ReversingLabs
C:\Program Files\Wildix\WIService\dotnet-dump.exe0%ReversingLabs
C:\Program Files\Wildix\WIService\fax\UNIDRV.DLL0%ReversingLabs
C:\Program Files\Wildix\WIService\fax\UNIDRVUI.DLL0%ReversingLabs
C:\Program Files\Wildix\WIService\fax\UNIRES.DLL0%ReversingLabs
C:\Program Files\Wildix\WIService\fax\wfaxport.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exe0%ReversingLabs
C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\websocket-sharp.dll0%ReversingLabs
C:\Program Files\Wildix\WIService\wiservice.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nskFFA1.tmp\System.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nskFFA1.tmp\nsExec.dll0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\Wildix Collaboration.exe0%ReversingLabs
C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\d3dcompiler_47.dll0%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://www.chromestatus.com/feature/5093566007214080ErrorEventInitG0%Avira URL Cloudsafe
https://www.bluetooth.com/specifications/gatt/services0%Avira URL Cloudsafe
https://www.chromestatus.com/feature/50935660072140800%Avira URL Cloudsafe
https://anglebug.com/84710%Avira URL Cloudsafe
http://anglebug.com/8280enableTranslatedShaderSubstitutionCheck0%Avira URL Cloudsafe
https://semver.org/0%Avira URL Cloudsafe
https://crbug.com/13560530%Avira URL Cloudsafe
https://primer.com.Uporaba0%Avira URL Cloudsafe
https://w3c.github.io/manifest/#installability-signals0%Avira URL Cloudsafe
https://passwords.google.comRa0%Avira URL Cloudsafe
http://anglebug.com/39970%Avira URL Cloudsafe
http://anglebug.com/28940%Avira URL Cloudsafe
http://www.portaudio.com0%Avira URL Cloudsafe
https://ajv.js.org0%Avira URL Cloudsafe
https://crbug.com/650547callClearTwiceUsing0%Avira URL Cloudsafe
http://crbug.com/14201300%Avira URL Cloudsafe
https://www.khronos.org/registry/0%Avira URL Cloudsafe
https://issuetracker.google.com/3090287280%Avira URL Cloudsafe
https://ejemplo.com.Se0%Avira URL Cloudsafe
http://juliangruber.com0%Avira URL Cloudsafe
https://www.chromestatus.com/feature/66626470931333120%Avira URL Cloudsafe
http://anglebug.com/37290%Avira URL Cloudsafe
http://anglebug.com/82970%Avira URL Cloudsafe
https://issuetracker.google.com/2922858990%Avira URL Cloudsafe
https://crbug.com/11449080%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
feedback.wildix.com
3.126.89.4
truefalse
    		high
    crt.sectigo.com
    		unknown
    		unknownfalse
      		high
      time.windows.com
      		unknown
      		unknownfalse
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://github.com/gpuweb/gpuweb/wiki/Implementation-Status#implementation-statusCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpfalse
          		high
          https://github.com/simplejson/simplejsonCollaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://www.chromestatus.com/feature/5093566007214080ErrorEventInitGCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://anglebug.com/8280enableTranslatedShaderSubstitutionCheckCollaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://support.google.com/chrome/answer/6098869Collaboration-x64.exe, 00000000.00000003.1663834642.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1666143922.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1654885833.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1675746549.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1665829473.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682639209.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1657752820.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1680569253.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1660019584.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682065276.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670426386.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1681556304.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1664651095.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1661844507.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1667793153.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663480650.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682310288.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1660935742.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1683722449.0000000005C11000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://json-schema.org/draft/2020-12/vocab/unevaluatedCollaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpfalse
                		high
                https://www.bluetooth.com/specifications/gatt/servicesCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://anglebug.com/4633Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                  		high
                  https://anglebug.com/7382Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                    		high
                    https://anglebug.com/8471Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                    • Avira URL Cloud: safe
                    		unknown
                    https://github.com/WebBluetoothCG/web-bluetooth/blob/main/implementation-status.mdCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpfalse
                      		high
                      https://www.chromestatus.com/feature/5093566007214080Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://goo.gl/7K7WLuTheCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpfalse
                        		high
                        https://docs.google.com/Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpfalse
                          		high
                          https://crbug.com/1356053Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://goo.gl/7K7WLuCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpfalse
                            		high
                            http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3C//DTDCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpfalse
                              		high
                              http://crbug.com/110263Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                		high
                                http://anglebug.com/6929Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                  		high
                                  https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/json-schema-secure.json#Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpfalse
                                    		high
                                    https://semver.org/Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/google/pprof/tree/master/protoCollaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://github.com/jrmuizel/qcms/tree/v4Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://chromium.googlesource.com/chromium/src/Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://anglebug.com/7246Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                            		high
                                            https://anglebug.com/7369Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                              		high
                                              https://anglebug.com/7489Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                		high
                                                https://primer.com.UporabaCollaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://bit.ly/3rpDuEX.Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://crbug.com/593024Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://w3c.github.io/manifest/#installability-signalsCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://exslt.org/commonCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://github.com/tensorflow/modelsCollaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://c.docs.google.com/Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://github.com/KhronosGroup/SPIRV-Headers.gitCollaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://cevcsca2021.crl.certum.pl/cevcsca2021.crl0wCollaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmp, wiservice.exe, 00000062.00000003.1888297725.000002E1434F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://issuetracker.google.com/161903006Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://crbug.com/1300575Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://crbug.com/710443Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://github.com/tensorflow/tflite-supportCollaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      https://passwords.google.comRaCollaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://pypi.org/project/pyparsingCollaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://sqlite.org/Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://crbug.com/1060012Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://anglebug.com/3997Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            http://anglebug.com/4722Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://crbug.com/642605Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://anglebug.com/1452Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://github.com/gpuweb/gpuweb/wiki/Implementation-Status#implementation-statusFailedCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://developer.chrome.com/docs/extensions/mv3/service_workers/events/ScriptCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://sizzlejs.com/Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://crbug.com/650547callClearTwiceUsingCollaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://html4/loose.dtdCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://crbug.com/1420130Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          http://anglebug.com/3502Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://anglebug.com/3623Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://www.portaudio.comCollaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://anglebug.com/3625Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://anglebug.com/3624Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://beacons.gcp.gvt2.com/domainreliability/uploadCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    http://anglebug.com/2894Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                    • Avira URL Cloud: safe
                                                                                                    		unknown
                                                                                                    http://anglebug.com/3862Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://json-schema.org/draft/2020-12/meta/coreCollaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        http://anglebug.com/4836Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://issuetracker.google.com/issues/166475273Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://github.com/google/shell-encryptionCollaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://goo.gl/4NeimXOriginCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://subca.ocsp-certum.com05Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://subca.ocsp-certum.com02Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmp, wiservice.exe, 00000062.00000003.1888297725.000002E1434F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://issuetracker.google.com/309028728Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                      • Avira URL Cloud: safe
                                                                                                                      		unknown
                                                                                                                      http://anglebug.com/3970Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://subca.ocsp-certum.com01Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2542702950.0000000005C1F000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1692265047.0000000005C1B000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://chromeenterprise.google/policies/#BrowserSwitcherUrlListCollaboration-x64.exe, 00000000.00000003.1670989260.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1659140106.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1682065276.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1670426386.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1667793153.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663480650.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1660935742.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668892835.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668517503.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1678959559.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1661227114.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1656683498.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1663048464.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1665272661.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655296647.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1655736025.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1664160638.0000000005C11000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1668191893.0000000005C11000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://repository.certum.pl/ctnca2.cer09Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmp, wiservice.exe, 00000062.00000003.1888297725.000002E1434F7000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://ajv.js.orgCollaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                              • Avira URL Cloud: safe
                                                                                                                              		unknown
                                                                                                                              https://github.com/webpack/webpack/issues/196Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://www.khronos.org/registry/Collaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                http://juliangruber.comCollaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://ejemplo.com.SeCollaboration-x64.exe, 00000000.00000003.1658732630.0000000005C11000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                		unknown
                                                                                                                                https://github.com/sindresorhus/conf/pull/82Collaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://.jpgCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005310000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://github.com/requests/toolbeltCollaboration-x64.exe, 00000000.00000003.1366854534.0000000005510000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1583419505.000000000491C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      https://android.com/payCollaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://anglebug.com/8297Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                        • Avira URL Cloud: safe
                                                                                                                                        		unknown
                                                                                                                                        https://json-schema.org/draft/2020-12/meta/validationCollaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1386249966.0000000005510000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://anglebug.com/5901Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://anglebug.com/3965Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://anglebug.com/7161Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://www.chromestatus.com/feature/6662647093133312Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005388000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                https://anglebug.com/7162Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://anglebug.com/3729Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://issuetracker.google.com/292285899Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  https://sindresorhus.comCollaboration-x64.exe, 00000000.00000003.1386644303.0000000005A10000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1685879034.0000000004910000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1385936802.0000000005010000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://anglebug.com/5906Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      http://crbug.com/830046Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        http://anglebug.com/2517Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          https://www.certum.pl/CPS0Collaboration-x64.exe, 00000000.00000003.1593904000.0000000004915000.00000004.00000020.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1530328602.0000000004490000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmp, Collaboration-x64.exe, 00000000.00000003.1530588167.0000000004BC0000.00000004.00001000.00020000.00000000.sdmp, Collaboration-x64.exe, 00000000.00000003.1535374961.0000000006810000.00000004.00001000.00020000.00000000.sdmp, SetupWIService.exe, 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, SetupWIService.exe, 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmp, wiservice.exe, 00000062.00000003.1889082872.000002E1434F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            http://anglebug.com/4937Collaboration-x64.exe, 00000000.00000003.1401397800.0000000005850000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://crbug.com/1144908Collaboration-x64.exe, 00000000.00000003.1534119268.0000000005393000.00000004.00001000.00020000.00000000.sdmpfalse
                                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                                              		unknown

                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                              No contacted IP infos

                                                                                                                                                              General Information

                                                                                                                                                              Joe Sandbox version:42.0.0 Malachite
                                                                                                                                                              Analysis ID:1590179
                                                                                                                                                              Start date and time:2025-01-13 17:20:43 +01:00
                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                              Overall analysis duration:0h 12m 38s
                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                              Report type:full
                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                              Number of analysed new started processes analysed:143
                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                              Technologies:
                                                                                                                                                              • HCA enabled
                                                                                                                                                              • EGA enabled
                                                                                                                                                              • AMSI enabled
                                                                                                                                                              Analysis Mode:default
                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                              Sample name:Collaboration-x64.exe
                                                                                                                                                              Detection:MAL
                                                                                                                                                              Classification:mal57.evad.winEXE@239/173@3/0
                                                                                                                                                              EGA Information:
                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                              HCA Information:
                                                                                                                                                              • Successful, ratio: 100%
                                                                                                                                                              • Number of executed functions: 190
                                                                                                                                                              • Number of non-executed functions: 217
                                                                                                                                                              Cookbook Comments:
                                                                                                                                                              • Found application associated with file extension: .exe

                                                                                                                                                              Warnings

                                                                                                                                                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, SIHClient.exe, conhost.exe
                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 51.137.137.111, 52.109.32.97, 52.113.194.132, 172.64.149.23, 104.18.38.233, 2.23.242.162, 13.107.253.45, 20.12.23.50
                                                                                                                                                              • Excluded domains from analysis (whitelisted): ecs.office.com, crt.comodoca.com.cdn.cloudflare.net, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, twc.trafficmanager.net, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, s-0005-office.config.skype.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com, ecs-office.s-0005.s-msedge.net, crt.comodoca.com, s-0005.s-msedge.net, config.officeapps.live.com, e16604.g.akamaiedge.net, crt.usertrust.com, officeclient.microsoft.com, ecs.office.trafficmanager.net, ukw-azsc-config.officeapps.live.com, prod.fs.microsoft.com.akadns.net, europe.configsvc1.live.com.akadns.net
                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                              • Report size getting too big, too many NtQueryVolumeInformationFile calls found.

                                                                                                                                                              Simulations

                                                                                                                                                              Behavior and APIs

                                                                                                                                                              TimeTypeDescription
                                                                                                                                                              11:21:56API Interceptor161x Sleep call for process: Collaboration-x64.exe modified
                                                                                                                                                              19:18:36Task SchedulerRun new task: WIService failed update recovery path: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" s>/S /updateRecovery=true
                                                                                                                                                              19:18:36Task SchedulerRun new task: WIService update recovery path: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" s>/S
                                                                                                                                                              19:18:54Task SchedulerRun new task: WIService update checker path: C:\Program Files\Wildix\WIService\wiservice.exe s>--update
                                                                                                                                                              19:18:56AutostartRun: HKLM64\Software\Microsoft\Windows\CurrentVersion\Run WIService C:\Program Files\Wildix\WIService\WIService.exe

                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                              IPs

                                                                                                                                                              No context

                                                                                                                                                              Domains

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              feedback.wildix.com3.19.1+SetupWIService.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 52.58.254.151
                                                                                                                                                              file_83f986ef2d0592ef993924a8cc5b8d6a_2025-01-07_10_04_01_718000.zipGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 3.69.183.96
                                                                                                                                                              3.17.7+SetupWIService.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 52.29.89.211
                                                                                                                                                              SetupWIService.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 3.64.145.227
                                                                                                                                                              SetupWIService.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 3.64.145.227
                                                                                                                                                              SetupWIService.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • 54.93.167.246
                                                                                                                                                              SetupWIService.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • 54.93.167.246
                                                                                                                                                              SetupWIService.exeGet hashmaliciousGuLoaderBrowse
                                                                                                                                                              • 35.157.107.60
                                                                                                                                                              SetupWIService.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                              • 35.157.107.60

                                                                                                                                                              ASNs

                                                                                                                                                              No context

                                                                                                                                                              JA3 Fingerprints

                                                                                                                                                              No context

                                                                                                                                                              Dropped Files

                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                              C:\Program Files\Wildix Collaboration\d3dcompiler_47.dllYoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                Yoranis Setup.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                  SalmonSamurai.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                    SalmonSamurai.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                      NativeApp_G5L1NHZZ.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                        CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                          CapCut_12.0.4_Installer.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                            AyqwnIUrcz.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                              nanophanotool.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                                                                                                9VbeqQbgU4.exeGet hashmaliciousRedLine, SectopRATBrowse

                                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\LICENSE.electron.txt

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1096
                                                                                                                                                                                  Entropy (8bit):5.13006727705212
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
                                                                                                                                                                                  MD5:4D42118D35941E0F664DDDBD83F633C5
                                                                                                                                                                                  SHA1:2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
                                                                                                                                                                                  SHA-256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
                                                                                                                                                                                  SHA-512:3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\LICENSES.chromium.html

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):9174266
                                                                                                                                                                                  Entropy (8bit):4.780443521000387
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:KPQQ/6MP6P5d1n+wRcXe1Lmfpm6k626D6b6+eGnkywBIpv:Cy8OeG8k
                                                                                                                                                                                  MD5:BD0CED1BC275F592B03BAFAC4B301A93
                                                                                                                                                                                  SHA1:68776B7D9139588C71FBC51FE15243C9835ACB67
                                                                                                                                                                                  SHA-256:AD35E72893910D6F6ED20F4916457417AF05B94AB5204C435C35F66A058D156B
                                                                                                                                                                                  SHA-512:5052AE32DAE0705CC29EA170BCC5210B48E4AF91D4ECEC380CB4A57CE1C56BC1D834FC2D96E2A0F5F640FCAC8CAFE4A4FDD0542F26CA430D76AA8B9212BA77AA
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: Generated by licenses.py; do not edit. --><!doctype html>.<html>.<head>.<meta charset="utf-8">.<meta name="viewport" content="width=device-width">.<meta name="color-scheme" content="light dark">.<title>Credits</title>.<link rel="stylesheet" href="chrome://resources/css/text_defaults.css">.<link rel="stylesheet" href="chrome://credits/credits.css">.</head>.<body>.<span class="page-title">Credits</span>.<a id="print-link" href="#" hidden>Print</a>.<label class="show show-all" tabindex="0">.<input type="checkbox" hidden>.</label>.<div class="open-sourced">. Chromium software is made available as source code. <a href="https://source.chromium.org/chromium">here</a>..</div>..<div style="clear:both; overflow:auto;"> Chromium <3s the following projects -->.<div class="product">.<span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span>.<span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span>.<labe

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):176619800
                                                                                                                                                                                  Entropy (8bit):6.749624619122867
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1572864:SgRMg/aKxl4b7qCDQtjovZT78wLF2pArKgDz6ObiISXD+Dyj3eRalD2kGpTe/2H1:Gg/geeFXzGa9FzV
                                                                                                                                                                                  MD5:5DAD490CE110FCDF62D3F38296A3FC44
                                                                                                                                                                                  SHA1:D6ACC8D53CED56D53FE3EFAAF1E35D508D00AD56
                                                                                                                                                                                  SHA-256:E1AD240972ABB42861807E99AB09DB018367EA04462D201D48D55E5E353FB6B9
                                                                                                                                                                                  SHA-512:A3F81654B654006588BDB41664F5440B4FE97BE8DE01E4FF64D7DD4716531C411A477085C43D0BB5F38BD7CDEAB43C2865F345F53172CE781A085F066A165E4C
                                                                                                                                                                                  Malicious:true
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......4...N.................@.....................................M....`.........................................G....j..4...T....0..p....pe...F......S.....................................(...@o..@.......................`....................text...U2.......4.................. ..`.rdata.......P.......8..............@..@.data.....D..p ......P .............@....pdata....F..pe...F...).............@..@.gxfg....A...P...B....p.............@..@.retplne............. q..................rodata.............."q............. ..`.tls....i...........4q.............@...CPADinfo8...........:q.............@...LZMADEC.............<q............. ..`_RDATA..\............Nq.............@..@malloc_h..... .......Pq............. ..`.rsrc...p....0.......Rq.............@..@.reloc...............w.............@..B........................................................

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\chrome_100_percent.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):154426
                                                                                                                                                                                  Entropy (8bit):7.915623092881329
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:AzwJCGIekwENgMBsFAXg6VKdL2o418Gb0+VRLf0ld0GY3cQ3ERVm2I:Azw1IekmMBdQXK18Gb0OV8ld0GecQ3Ey
                                                                                                                                                                                  MD5:B1BCCF31FA5710207026D373EDD96161
                                                                                                                                                                                  SHA1:AE7BB0C083AEA838DF1D78D61B54FB76C9A1182E
                                                                                                                                                                                  SHA-256:49AFF5690CB9B0F54F831351AA0F64416BA180A0C4891A859FA7294E81E9C8E3
                                                                                                                                                                                  SHA-512:134A13AD86F8BD20A1D2350236269FD39C306389A600556A82025D5E0D5ADAAB0709D59E9B7EE96E8E2D25B6DF49FEFEA27CDCCEFE5FBA9687ABF92A9A941D91
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........?.........C.......................m.......................^.....X.................q".....$....1/.....9.....<.....A....^D.....F.....H....FK....6M....fO.....S.....V..(..Z..)..[..+..\..-..^....._..5.k`..6..f..8..l..9..n..:..q..;..u..<..x..=..{..>.A...?.....@.h...A.....B.....C.....D.....F....e.....j.[...k.Y...l.....m.....n.....o....p.&...q.U...r....................................................R.........B........................@....."....,.../...1....:....<....@...>E...NP....Q...3Z....a....mf.....k.....r....it.....x.....|....a......................]................c.................................................................^...........b...........t...........=.....k... .....".^...#.....(.^...*.3...+.....,.....D.....E.....F.~...G.....H.....I.Y...J.-...K.....L.....M.....N.1...O.....P.....Q.....R.....S.....T..!..U..'..W.\-..X.8...Y.....Z../..[..0..\.J1..]..1..^.53.._.+4..`. 5..c..9..D..=..E.>>..F..>..G..>..H..?..I..@..J..A..K..A..L..B..M.qB..N..B

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\chrome_200_percent.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):235060
                                                                                                                                                                                  Entropy (8bit):7.947114238566176
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:gDQYaSN6svydrI8jDQUgx5GMRejnbdZnVE6YoppO4:NfSN6svydZ6edhVELoXO4
                                                                                                                                                                                  MD5:E02160C24B8077B36FF06DC05A9DF057
                                                                                                                                                                                  SHA1:FC722E071CE9CAF52AD9A463C90FC2319AA6C790
                                                                                                                                                                                  SHA-256:4D5B51F720F7D3146E131C54A6F75E4E826C61B2FF15C8955F6D6DD15BEDF106
                                                                                                                                                                                  SHA-512:1BF873B89B571974537B685CDB739F8ED148F710F6F24F0F362F8B6BB605996FCFEC1501411F2CB2DF374D5FDAF6E2DAAADA8CEA68051E3C10A67030EA25929E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........?.........J..........................................%.....*.....-....\5.....9.....A.....E....IZ.....o....(t.....~.........s...........e...........L.....p.....y...(.3...).....+.....-..........5.....6.1...8.....9.=...:.....;.....<.t...=.$...>.....?.....@.....A.....B.....C.(...D..%..F..)..e.?1..j..6..k./9..l..<..m..J..n.WN..o.|Z..p..f..q..k..r..l.....m.....q.....t.....w.....z....'~....D........................J..............#.............a....&...................V............c........".....'....n-....P4.....6.....:.....>....6H....bK.....S.....W....ba.....k.....o.....q....cz......................................5...........p.....G..................................%....."... .@...".Y...#.....(.K...*.|...+.r...,.R...D.5...E.c...F.}...G.....H.\...I.....J.b...K.....L.f...M.....N.w...O.9 ..P.'%..Q..-..R..4..S..;..T..A..U..F..W..L..X..M..Y..N..Z..P..[.)Q..\.JR..].>S..^..U.._..V..`.pX..c.4e..D..u..E..u..F..u..G.Kv..H..v..I.,x..J..y..K.[y..L..y..M..z..N.mz

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\d3dcompiler_47.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4916712
                                                                                                                                                                                  Entropy (8bit):6.398049523846958
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
                                                                                                                                                                                  MD5:2191E768CC2E19009DAD20DC999135A3
                                                                                                                                                                                  SHA1:F49A46BA0E954E657AAED1C9019A53D194272B6A
                                                                                                                                                                                  SHA-256:7353F25DC5CF84D09894E3E0461CEF0E56799ADBC617FCE37620CA67240B547D
                                                                                                                                                                                  SHA-512:5ADCB00162F284C16EC78016D301FC11559DD0A781FFBEFF822DB22EFBED168B11D7E5586EA82388E9503B0C7D3740CF2A08E243877F5319202491C8A641C970
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Joe Sandbox View:
                                                                                                                                                                                  • Filename: Yoranis Setup.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: Yoranis Setup.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: SalmonSamurai.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: SalmonSamurai.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: NativeApp_G5L1NHZZ.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: CapCut_12.0.4_Installer.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: CapCut_12.0.4_Installer.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: AyqwnIUrcz.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: nanophanotool.exe, Detection: malicious, Browse
                                                                                                                                                                                  • Filename: 9VbeqQbgU4.exe, Detection: malicious, Browse
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d...^.}`.........." ......8..........<).......................................K.....:FK...`A........................................`%G.x....(G.P.....J.@.....H.......J..%....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\ffmpeg.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2866176
                                                                                                                                                                                  Entropy (8bit):6.71639664914218
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:G9T1onpO0KVy2xq6To8i4BZy7+niuoen6yfzv9x0WFJDI:upKNMo8rBYinp/FFJM
                                                                                                                                                                                  MD5:8F3D89744AE11B0925FAF4B64890D0D7
                                                                                                                                                                                  SHA1:6A8F744BE1F76E9AD28287D969D8D24F5F1E7623
                                                                                                                                                                                  SHA-256:11DAF2BF89A3AC660533B3E487E0624668B35F45D2BD94E9B0324BCE8758DE60
                                                                                                                                                                                  SHA-512:250C06E70276C08D3D8A63744AF6C570B6288E1D8FED8DEED915C79BF0A80C3CD0A7E64C55A16FCBC50CCBCBC9910B26F87983CEEEA8ED28A75C1B8EC22DB53F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ......".........0.........................................u...........`A..........................................).......).(.............t.4.............u.,4..<.)..................... .).(...P.".@...........(.).P............................text...U."......."................. ..`.rdata.......".......".............@..@.data.....I...*.."...~*.............@....pdata..4.....t.......*.............@..@.gxfg....,...@u......R+.............@..@.retplne.....pu.......+..................tls..........u.......+.............@..._RDATA..\.....u.......+.............@..@.reloc..,4....u..6....+.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\icudtl.dat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):10717680
                                                                                                                                                                                  Entropy (8bit):6.282426578921538
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:196608:WgPBhORiuQwCliXUxbblHa93Whli6Z26wO+:W8wkDliXUxbblHa93Whli6ZUF
                                                                                                                                                                                  MD5:74BDED81CE10A426DF54DA39CFA132FF
                                                                                                                                                                                  SHA1:EB26BCC7D24BE42BD8CFBDED53BD62D605989BBF
                                                                                                                                                                                  SHA-256:7BF96C193BEFBF23514401F8F6568076450ADE52DD1595B85E4DFCF3DE5F6FB9
                                                                                                                                                                                  SHA-512:BD7B7B52D31803B2D4B1FD8CB76481931ED8ABB98D779B893D3965231177BDD33386461E1A820B384712013904DA094E3CD15EE24A679DDC766132677A8BE54A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\libEGL.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):479232
                                                                                                                                                                                  Entropy (8bit):6.363205504415342
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:0Jk+JyNnPUXhbZ/+a1KYsjNDsrJg3qkrzxwbP6wvEMrwrD7Qy/x6TYtaoB+YEB0+:qbTcZ6+lOP9rmD7QMYYtaFy951wj5ze
                                                                                                                                                                                  MD5:F1FE23058E7EECE1DE389A0C882BC1AD
                                                                                                                                                                                  SHA1:E83B15D2BBCB6FB2867651A2A9797ED3B6827947
                                                                                                                                                                                  SHA-256:A4336A318E8D92A47843D5FE429DC6D1FF7271D8BAC189D719BC8074A128FD6E
                                                                                                                                                                                  SHA-512:D7D51FCB05542FA81E871DD9F1DD960C363107D1C25311DCBF81E440D1275054C121A788DEF8DBAE47C129E95FD990042E2D39E6EF2BDFB253A114146EB33973
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ....."...(............................................................`A.........................................4..h....B..(.......x.... ..pA..............H...,,.......................+..(...@A..@............E...............................text.... .......".................. ..`.rdata..,....@.......&..............@..@.data....K....... ..................@....pdata..pA... ...B..................@..@.gxfg... &...p...(..................@..@.retplne.............6...................tls....!............8..............@..._RDATA..\............:..............@..@.rsrc...x............<..............@..@.reloc..H............B..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\libGLESv2.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7692800
                                                                                                                                                                                  Entropy (8bit):6.501902638931627
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:98304:9x8EI0RtffaYFH3lV5D3u31okx/6bXm3q:LhXfTFHmoKgCq
                                                                                                                                                                                  MD5:76141455CD2705897D38E9785117E405
                                                                                                                                                                                  SHA1:EE091646B6273BF006CFCD84FD54384B0A9D0E0F
                                                                                                                                                                                  SHA-256:7B0BAA9E2E731716EFE3E0BEBF6A0BCD2D64F35D9F62B20D23ACB4E098C9BE36
                                                                                                                                                                                  SHA-512:551B79AAFFDC469448477AA72554458235F118559EECC567C232599A4193B2639C14EAFACAD533485089AF58701AEABEE690B43F36E41342F928D4973EFC02E1
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ......Y..t........J......................................`v...........`A........................................}.l.......m.d....pu.......r..U............u.,....al.....................p`l.(.....Z.@.............m.......l.@....................text.....Y.......Y................. ..`.rdata..|.....Z.......Y.............@..@.data...\.....n......nn.............@....pdata...U....r..V....q.............@..@.gxfg....,....u......Tt.............@..@.retplne.....@u.......t..................tls....B....Pu.......t.............@..._RDATA..\....`u.......t.............@..@.rsrc........pu.......t.............@..@.reloc..,.....u.......t.............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\resources.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5281234
                                                                                                                                                                                  Entropy (8bit):7.996903093990653
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:98304:UCNks/PeeUfLi93zJ/HbKKSoDr+cgSrwrNl8dtSip6QaVaK2nwuoM10mpmjy+0V4:UAk03dB7KRcRkrNi/SQaVN2wuJ10Le+1
                                                                                                                                                                                  MD5:54790975C932460FFA375CD0F0F8FFF0
                                                                                                                                                                                  SHA1:05B72FF82ABB8DDAC1A92471F765B87B7FF1E9FD
                                                                                                                                                                                  SHA-256:1EFDD507BB6F4FB07329EC7EC29EE00C952D6390BD5CFE3B41FB307C5CAEAB6C
                                                                                                                                                                                  SHA-512:D74627207CAA35602E68AD6C08A0EBF55FE062E191A1885EB38226755D382DD3407DEA883E4337C5CFF23C1F724D64E5598EDF7A5CE93D4CC1EA6EA10C41AA0E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........5...f.\...{..)..|..,..~.F0.....B.....D.....P....H................V...........B.....k.....M.....c...........F.....$.........t@....u@;...v@....w@....x@c...y@l...~@.&...@.,...@.1...@.1...A.1...A.5...A_7...A.<...A.E...AsT...A/u...Avv...A.w...A.w...A.|..<AL...=AR...>A....?A....@A....AA....BA....CA....DA\....A.....A.....A....RIb...wI....xI....yI....zI....{I.....No)...N.6...N.>...N!B...N.E...N.O...N.P...N.R...NOS...N.....Nn....O.{...O\~..T`....U`....V`....W`x...X`....Y`....Z`v...[`.....`.....`.....`.....`m)...`d,...`.1...`.2...`@4...`.5...`.8...`.=...`.G..0aUO..1a.X..2a.]..3a>d..4a3o..5a~|..6a....7a....8ao...9a....:a....;aV...<a....=a....pb....qb&...rb......V.............................j............................w..................................................9...._........................+$...`'............b........x............................@....7.....>..x..D..y..D..z.YE..{.gF....kH.....I..../....B...@F....G...{H....I....K...2N...<Q....R

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\snapshot_blob.bin

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):306214
                                                                                                                                                                                  Entropy (8bit):4.392850925698206
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:ogusbBDoCIdRSt25iD1Z3yAcCLi9wfuwWMvDdkbMzaQ:ogus9oCM9OUYffnWYWbIF
                                                                                                                                                                                  MD5:AEDD1B80A8140B94C00DB3C0B9485772
                                                                                                                                                                                  SHA1:2DC8444E599438ED37A31EBFE7F8859AF7FAC631
                                                                                                                                                                                  SHA-256:C1DA41052ABE31791AE90A9DBE54442A641E1ECBB018EF35C44E7AED05B8F72E
                                                                                                                                                                                  SHA-512:3E06CB550F46285D8DC81D1F082732C07E9C9D81ABE931E859262C7BA699D4EB9737581F5A5C5174E09BB0FC0561A9DE46298714CED38F453F922F9536C67D0C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...............12.2.281.27-electron.0..........................................8L..N...........$....K..a........a........a2.......ar.......a2.......aT.........."..............B..............b........."..............B........(Jb....L.....@..F^.-..1.`.....(Jb...2P.....@..F^..`.....H...IDa........Db............D`.....).D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\uninstallerIcon.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 6 icons, 256x256, 32 bits/pixel, -128x-128, 32 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):370070
                                                                                                                                                                                  Entropy (8bit):2.6581238785102768
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:gie1tRXMK6JS1ZMciuawKELOW2YP6GRQj8zigQHP24ETHybd29l9qPk6a3aW2r8G:QCqyW2YKuPa8TVOwzFdc
                                                                                                                                                                                  MD5:2732C2EFCD1469E4884ACB001A3313DC
                                                                                                                                                                                  SHA1:01179ED18A513AFC7D94D5843E2DAB37460605F5
                                                                                                                                                                                  SHA-256:070398CF2F3D8A42C62B31B32402BB81ED3B6FF56A5DCCF75E3CB788496960CC
                                                                                                                                                                                  SHA-512:44145D38E59D8070646293DC8A56E4906BB2B6E3A6D005FEE41F3808BEB0D64687583A941EEB29D3AC7A3C6C1DF3A5EAB04DBFD3EEEC0194D0D11F422997F698
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:............ .( ..f......... .(.... ..@@.... .(B...(..00.... ..%...j.. .... ............... .h.......(............. .............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................K%..K%..K%..K%..K%..K%..K%..K%..K%......................................................K%..K%..K%..K%..K%..K%..K%..K%..K%............................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\v8_context_snapshot.bin

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):679161
                                                                                                                                                                                  Entropy (8bit):5.217457437935302
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:m/h8ML2Zu/Bg90Ws9oCM9Otxh6vtDINPbIgTtLAkW/cB2Z0JZkQXEzBO+lZ:myMSZu/Bg90BuCzIP/+2ZGZazJlZ
                                                                                                                                                                                  MD5:0C259ECBB12E6F3F0E076E6200221489
                                                                                                                                                                                  SHA1:3DE53DCAFDCE24C151DD1812769B46ACEA77C90C
                                                                                                                                                                                  SHA-256:83A8345EA197020E07FE2CF53E74F31D0CC632CA1537F5C9C1DB2FB2665AB04F
                                                                                                                                                                                  SHA-512:6EF39EE8B7D40C5E6C0E79F8C4E846D431A6A87711D025122E2E7F060C5754FFF917771D5EDE6ADEC3BE909FB5CE0E8EB1DF5E18142ECDB6339BDDE8CE2C8398
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........a. ..?h12.2.281.27-electron.0..................................................................$...x...a........a........a........ar.......a2.......aT.........."..............B..............b........."..............B........(Jb....L.....@..F^.-..1.`.....(Jb...2P.....@..F^..`.....H...IDa........Db............D`.....).D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L.................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\vk_swiftshader.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5312000
                                                                                                                                                                                  Entropy (8bit):6.364537003040197
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:YL1wrvfRIQkXfBe1IlA8gE+LGHEYXb3GNfsUd9QjqZztkJCP1pSN6WxHEmp+DnnV:81w7weOqiFIYBgTE
                                                                                                                                                                                  MD5:8FE00EBE76542263463877F27417EC61
                                                                                                                                                                                  SHA1:763502E57A3C4FBE5FC25EE7E9C942D94505D244
                                                                                                                                                                                  SHA-256:46AFB1ED7AB1B1A679E00784B2E78CC2358CEC615553699624FF77882F55787B
                                                                                                                                                                                  SHA-512:62B375B40EEDF04D03D8465570634B56D529E9525BD6D81BE94B40C7DA21CCCAA808BE97649F9404DED9EDD5CE129F9FB1D462C6A1986A25FA8A228857CDA5A2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." .....n@...........:.......................................R...........`A.........................................sL.......L.P.....Q......0P..^............R.t~...0L.....................x/L.(...@.@.@........... .L.P............................text....m@......n@................. ..`.rdata........@......r@.............@..@.data........pM......ZM.............@....pdata...^...0P..`....N.............@..@.gxfg....-....Q......TP.............@..@.retplne......Q.......P..................tls....Y.....Q.......P.............@..._RDATA..\.....Q.......P.............@..@.rsrc.........Q.......P.............@..@.reloc..t~....R.......P.............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\vk_swiftshader_icd.json

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):106
                                                                                                                                                                                  Entropy (8bit):4.724752649036734
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
                                                                                                                                                                                  MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                                                                                                                                                  SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                                                                                                                                                  SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                                                                                                                                                  SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                                                                                                                                                  C:\Program Files\Wildix Collaboration\vulkan-1.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):954368
                                                                                                                                                                                  Entropy (8bit):6.588968362833733
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:CkMYSDIukxvnwhdzY96Z5WiDYsH56g3P0zAk7lE1:Cku0fwhC96Z5WiDYsH56g3P0zAk7l
                                                                                                                                                                                  MD5:D8F31216785E204DA9BAD10E9F3734B7
                                                                                                                                                                                  SHA1:BE7F53566DBAEC5DBE61AFC76BF7401CFC42EF08
                                                                                                                                                                                  SHA-256:FA6B4E20EB448746E2EFF9A7FDE7A62585E371F3497A6A928EADE0A8CE8C1A9F
                                                                                                                                                                                  SHA-512:D7EF5EF7ED9B5559E107369849ADCD18FB9C9C3A90033731A46C4B5D3BA431582936E54E5B5918CE19A667B3F1EB369A93BC3F9A03DF8E5397E5F80DC21A61A1
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ......................................................... ............`A............................................<!...3..P............ ..Xq..............(...,...........................(...@...@............8...............................text...{........................... ..`.rdata..............................@..@.data...pL......."..................@....pdata..Xq... ...r..................@..@.gxfg...P).......*...N..............@..@.retplne.............x...................tls.................z..............@..._RDATA..\............|..............@..@.rsrc................~..............@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\DseaCallControlSdk.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1691760
                                                                                                                                                                                  Entropy (8bit):6.377248011693859
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:W0H28oc49lxvVtv4nZ70XYvHPhqkWHZC8l/Ia0dpZu4MRk:09wn10/k
                                                                                                                                                                                  MD5:AC174E068FA99EA6B346353BA69757CE
                                                                                                                                                                                  SHA1:CD1A42D84C18E8473FBEC6A6A3AC731DBB1FCC9B
                                                                                                                                                                                  SHA-256:19C680C1691BA446F2751B79355F2EF7206BBDA3684B058370F26FD2A82F5D6B
                                                                                                                                                                                  SHA-512:E9B0249979ABE566651CDC14F3C18A93B5B8C5C4C45E97FDB7A39D828A7FE930FEE8F1EE7B0A50A5213B4C2B0727E7C07FA5EF591FA80F555D6654CADD5B9BBD
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........xj..xj..xj......xj...n..xj...i..xj...o..xj...k..xj...m..xj...n..xj...k..xj..xk..yj...o..xj...j..xj......xj..x...xj...h..xj.Rich.xj.........................PE..d...2..c.........." .....V..........d-.......................................@......~.....`.........................................P...........|....... ....0..t.......p*... ..........T.......................(...`...8............p...............................text....U.......V.................. ..`.rdata.......p.......Z..............@..@.data........ ......................@....pdata..t....0......................@..@.rsrc... ...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Microsoft.Office.Interop.Outlook.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):985712
                                                                                                                                                                                  Entropy (8bit):5.551919340566682
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:OmPj0ZKH4lODcxSgo5Gn8WuMRIn+N3gN+zs5KPIVmkXiGzcJy3gt2LER6GvK9Hw1:Omb0ZKH4lODcxSgo5Gn8WuMRIn+N3gNw
                                                                                                                                                                                  MD5:390B04A388FFD833D4E93ED4153AE58D
                                                                                                                                                                                  SHA1:1D21644C16772988DD817B40E3886585BBB2D4B2
                                                                                                                                                                                  SHA-256:BB0E790F27DCBEC3B0DCB9F01F27A38C3D2D1F775538C6CFBF9883795F38EFF2
                                                                                                                                                                                  SHA-512:2FD5E8435110FD10DA4B17496377D619C249A11CEFDF4B01796029BB4A24E6A13EAA133158D250C9CC3C7BC9DBECA42BCE09F5AB3523B415A54F9461F3E5BA2A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...2.V...........!......... ........... ........@.. ....................... .......h....@.....................................K.......................p*........................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Common.v4.0.Utilities.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):37488
                                                                                                                                                                                  Entropy (8bit):6.42379201827549
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:PwJTwYB4E5n/xe5arr82ADib6kysSoQuSW:YJYE55e5mr8tOb6k1L7SW
                                                                                                                                                                                  MD5:D332E42FFA4175720FBC2AA4AC4C57E3
                                                                                                                                                                                  SHA1:4148438DBD61126A5B223409E6FF49F8F838362C
                                                                                                                                                                                  SHA-256:9B070077A44937BEF43C386D4A89051300BC4FAA50C115A1D10FDBB052B66CA8
                                                                                                                                                                                  SHA-512:EB3C246EE059B94CE994B301486117AF1C06B7995FE107EC7F6A9CF0465A8BBFD45D46BCCF87623644BB9C4E345E141BC0F1BDA1FF8FC8D73CE255EEAC0FEA8D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..K...........!.....X..........nv... ........... ....................................@..................................v..O.......d............h..p*..........tu............................................... ............... ..H............text...tV... ...X.................. ..`.rsrc...d............Z..............@..@.reloc...............f..............@..B................Pv......H....... &..TO..................P .......................................2...B..5....vO{:R.G.._(P%+.....|cn.A..@.E.#.....w.....?o......."[......6...|..z...:,.L.......A..|.T^k.A....R-...N.......(/............o~...}......{....op...}....*..{....*v.{....ox.....o....u.........*2.{....ov...*2.{....ow...*2.{....ox...*6.{.....or...*6.{.....os...*6.{.....ot...*6.{.....ou...*2.{....on...*2.{....oe...*2.{....of...*2.{....oo...*2.{....ok...*2.{....oi...*2.{....oj...*2.{....om...

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Microsoft.Office.Tools.Outlook.v4.0.Utilities.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):53872
                                                                                                                                                                                  Entropy (8bit):6.209840303982636
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:N7vV5z3+6KTqUPtLnPDiQ0fWST41mocNAwkEGjhl2BOBaBnD/4xFsO282ADib6U2:xVs6c3d28tOb6UT1L7SF
                                                                                                                                                                                  MD5:D454D5F84DD74C88DE630BA148470B43
                                                                                                                                                                                  SHA1:C2CB551054DF4EEE747783450BD5A79E711774B1
                                                                                                                                                                                  SHA-256:D4C2959CC59021EC109C0546AB6B44C9D62FE34F8648FA2E82693B6F6FDB9717
                                                                                                                                                                                  SHA-512:D30B2E6B7A1908FE80D5B52CC349D0BC128DBD807413AF3303626DC9758C11A3FA58E99E3A368C284C7B9573C06A7DD6B1228C398B1E1D84C1AEAD545713FD08
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...S..K...........!................~.... ........... ....................................@.................................0...K.......@...............p*........................................................... ............... ..H............text........ ...................... ..`.rsrc...@...........................@..@.reloc..............................@..B................`.......H........#......................P ......................................oM.?~!...g.h+...$.w....6]...3.U.9.8.!..d)r<....wV...OE!..NB...W.....k..,....h...@.......K.\6.<......6.<d.Y.A`.S..J.Q?..*..((.......oI...}......{....t....}....*..{....*N.{....o*.....(+...*..{....*2.{....oB...*6.{.....oC...*2.{....oD...*6.{.....oE...*2.{....oF...*2.{....oG...*6.{.....o>...*6.{.....o?...*6.{.....o@...*6.{.....oA...*2.{....o:...*2.{....o;...*:.(6.....}....*..{....*..{....*6.{.....o...

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Microsoft.Office.Uc.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):483440
                                                                                                                                                                                  Entropy (8bit):5.88808533617672
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Ma9ps9y+hl8hyfItfqNWtkT4yzIDUCEheLQta3spminCi5W3EKjWFY4A7+BkvCZ/:Ma9ps9y+hl8hyfItfqNWtkT4yzIDUCEf
                                                                                                                                                                                  MD5:3A1269C0A167AC4D9A444A6123F62647
                                                                                                                                                                                  SHA1:578575D8D7A073EF2AE8AF7DE65558ECC0FC0F99
                                                                                                                                                                                  SHA-256:ABC3A0B4FE5DB6717ED3D1BED438BACF053000BCA6C75DD8BE0047D776CEBB20
                                                                                                                                                                                  SHA-512:63DA1B64A5AFFF89A7031470EB3F08ABA8F4EE381025777EBBD5EA6404F68C92A998169C8B0B21DB3495CDF6A63AC836154C348DDD7D469EAACE293FD0A0482D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......S...........!................~L... ...`....@.. ..............................s.....@.................................(L..S....`...............6..p*........................................................... ............... ..H............text....,... ...................... ..`.rsrc........`.......0..............@..@.reloc...............4..............@..B................`L......H........^..(....................].......................................0..&...........{....9........{............o....**...0..&...........{....9........{............o....**...0..&...........{....9........{............o....**...0..6...........(........ ....}.........}.........}.........}....*...0............ ....."..... .... ...... .... n..... .... ...... .... P..... .... ...... .... (..... .... ...... .... D..... .... ...... .... D..... .... i..... .... ...... .... ...... .

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Newtonsoft.Json.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):703088
                                                                                                                                                                                  Entropy (8bit):5.944616866544071
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Rf9WGsSVSM2mxL2nRiOr8gUckc6V/g2GhBzj05cHQYa:ZXNL2PVh6B+BzjmcwYa
                                                                                                                                                                                  MD5:D3E0B67E13A5705481C6CA3C7193E7CF
                                                                                                                                                                                  SHA1:41EE7FAA47F8FBBC025170B5D137E11F4475922E
                                                                                                                                                                                  SHA-256:F0A7EAAABC1D4D46F45646C9676136377DD72FEFE0365DE51CC7A0CD048AA8C0
                                                                                                                                                                                  SHA-512:6087C957A49F5472F3D77D4F3B4114C536A5777C03AE33223835698AD3C2865CE3BB2F8FF8DB1CD0DF49FB7CF73FA61B4DFA849430295E82B3D82601E1B66E95
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0................. ........... ....................................`.....................................O.......................p*..............T............................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........z..<&..................<.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{[....3...{Z......(....,...{Z...*..{\.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Office.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):420464
                                                                                                                                                                                  Entropy (8bit):5.859763778856411
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:no4vyP2a+zKZsxgkE0PTpFh/2f7rvmcyjlSjnqgy:no4vyP2a+zKZsDr52f7rvty
                                                                                                                                                                                  MD5:5759B4F594B5D6B05CDF7D3818A41CF8
                                                                                                                                                                                  SHA1:63F4C42A3E3279F918991886DF6C53A5121C6D9B
                                                                                                                                                                                  SHA-256:E31181E899F6A109B782D20D6A77392D3F8A4C945D818861D9DC0ACB3B67D477
                                                                                                                                                                                  SHA-512:D53609028B3495DAA23C370ECD65500CB7F636A9950E7C54970CBA79A0C38DC6C81CBCC44C97392EA5B33F581C243D2C0A268E08ADFAF1D1EFA2746FC120089C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....oAE...........!......... ......."... ...@....@.. ..............................s........................................!..W....@..L............@..p*...`....................................................... ............... ..H............text...4.... ...................... ..`.rsrc...L....@....... ..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Serilog.Sinks.Console.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):43120
                                                                                                                                                                                  Entropy (8bit):6.314942767785965
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:Dx+pe4L10ajxHJl7u4WHjWZ82ADib6IysSoQuSKhE:1K0ajRu4WKZ8tOb6I1L7SKhE
                                                                                                                                                                                  MD5:2BFDFE0FB1AA5E9B398C49BB006B92A9
                                                                                                                                                                                  SHA1:5AABCCBC39F240DEEB048FCB4A7D636D787E4E34
                                                                                                                                                                                  SHA-256:BF0DC8C853201F9AC9E8B5A9696C24C46DCD9B8AE20CA5744B5B11574E175156
                                                                                                                                                                                  SHA-512:71E937DDDCF890661819A80679B62CC16912A713EE13F26DD9AB0E05438A680E4925AFBFDEEDC3409F908512F6AF34DC33C552A50A90C6C9321D285A851C6244
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#.P..........." ..0..t..........z.... ........... ...............................[....`.................................(...O.......L............~..p*..........p...8............................................ ............... ..H............text....s... ...t.................. ..`.rsrc...L............v..............@..@.reloc...............|..............@..B................\.......H.......|R..t?..........................................................0..Y........-.r...ps....z.-.r%..ps....z(....-.(....-...%-.&(-...+.(........sN.........s.......o....*..-.r...ps....z.-.rC..ps....z.(.......s......o....*.(<...*..s....}.....(......}......%-.&rW..ps....z}......}....*...0............o....(......{....o....,L ....s....s......{......o.....{..........(......o....o.....o.....:.,..(......{..........(.....{......o.....o.......,..(.....*.......@..\........o.........

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Serilog.Sinks.Debug.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):17520
                                                                                                                                                                                  Entropy (8bit):6.83969555329617
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:XrDJKl99Xk8jr8VSurQ2ADir/6rDzhW5w56SofousWu4qi7:Xr20L82ADib6dWysSoQuS2
                                                                                                                                                                                  MD5:9F018137CCC7684C1922C8D8FA7BA364
                                                                                                                                                                                  SHA1:E2C26A5BE58B2511043F918939B40134428A4E7A
                                                                                                                                                                                  SHA-256:7F1D68C22394D54159E918B089CF721DC0F5EF5BD2E9699ED135945ED20E020F
                                                                                                                                                                                  SHA-512:713C6D48BB186326492FF1466810FF7E270719F5A9A755C4BF84BC66679587223EA9973842EB3D719E2A5B564F488CDE34E39BB5286DBAD428E26E8EA7ED800C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................." ..0.............^/... ...@....... ...............................0....`................................../..O....@..@...............p*...`......X...8............................................ ............... ..H............text...d.... ...................... ..`.rsrc...@....@......................@..@.reloc.......`......................@..B................>/......H....... !.......................-.......................................0../........-.r...ps....z.-.r%..ps....z..s..........(....*..-.r...ps....z.-.rC..ps....z..s......o....*v.(......%-.&rC..ps....z}....*....0..+.......s......{......o.....o....(.......,..o.....*.......... ......BSJB............v4.0.30319......l...0...#~......\...#Strings........X...#US.P.......#GUID...`...X...#Blob...........W..........3........................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Serilog.Sinks.File.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):36976
                                                                                                                                                                                  Entropy (8bit):6.423492405586302
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:F2IVwX/kpnTXMcTWpHdD2JRrcfwcyT82ADib6jysSoQuSt:/wXcpnTXMwWmJRXVT8tOb6j1L7St
                                                                                                                                                                                  MD5:F632DC6A8B6A9D34F1A24B39475965E2
                                                                                                                                                                                  SHA1:44F478B7B76F9B23E5E78D25157BF58FE675A223
                                                                                                                                                                                  SHA-256:7B10A8C77CE1BA7B68ED742590031BACEC6EEA9641AB0AD2F0DDA40BF7D05C61
                                                                                                                                                                                  SHA-512:6B54ACBD0C5510EABCABE475011E14DA71C096A2F4E4235C605283D9E87903F202C94D3F24006DBC67C143064212CF80D545362C73B7E903AF607A9207666DBC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...%>^..........." ..0..\...........{... ........... ..............................>.....`.................................O{..O.......4............f..p*...........z..8............................................ ............... ..H............text....[... ...\.................. ..`.rsrc...4............^..............@..@.reloc...............d..............@..B.................{......H........8..XA.................. z.......................................0.."...................................(....*...0.. .................................(....*.0..O........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s...........................(....*..0..(..............s..........................(....*.0..?........-.r...ps....z.-.r%..ps....z.-.r/..ps....z...s...........(....*..0..8.......... ...s..........................................(....*.0..9........-.rM..ps....z.-

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\Serilog.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):130672
                                                                                                                                                                                  Entropy (8bit):6.183884930918232
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:Gy8BcjSMkNtSR4rkA4Nqnv/BZ8OQNZMpWovqnSOD1fSr:jPSMkNtS6rzH7H+y2e
                                                                                                                                                                                  MD5:381D1F6EAC3487FB809F4A67B20BBFC0
                                                                                                                                                                                  SHA1:7AE67391144F1C3BDDB739F89499E4DFC2E01561
                                                                                                                                                                                  SHA-256:CEA976F7B2AD44B80CAABCD2E2E443D4A58BB31839C6E12F68E49234FDCFD121
                                                                                                                                                                                  SHA-512:A702FC408F953B96E5BFFAAB5953E08FF7F4215A6A87BA94E283EEB6D1E87BD79D34D8421ECD98180844BB037553F958D4E9B71900A085C3B62757BD848CDD74
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....T<..........." ..0.............:.... ........... .......................@............`.....................................O.......................p*... ......X...8............................................ ............... ..H............text...@.... ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......x...`A............................................................{(...*..{)...*V.(*.....}(.....})...*...0..;........u......,/(+....{(....{(...o,...,.(-....{)....{)...o....*.*. .... )UU.Z(+....{(...o/...X )UU.Z(-....{)...o0...X*.0...........r...p......%..{(....................-.q.............-.&.+.......o1....%..{)....................-.q.............-.&.+.......o1....(2...*..{3...*..{4...*V.(*.....}3.....}4...*...0..;........u......,/(+....{3....{3...o,...,.(-....{4..

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\UC.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):461424
                                                                                                                                                                                  Entropy (8bit):5.25726869136666
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:mw/0k3XAYWQuyOGiUpXWFgXFQIY0EH7+0BJmmDAvQNRplhxy6woW0nFTF9YvORIg:L8KXAy7qy6EOdgQ
                                                                                                                                                                                  MD5:6CD6DE9E328D4FDDBD0E3D5673369C3B
                                                                                                                                                                                  SHA1:0A0915D6B89CAEF5A9D8D170089ABEBEAF6A183C
                                                                                                                                                                                  SHA-256:5282E7BD01BD8C7A29E418E9F9EA7559A1A6E9F4CA3311399DC957296CEF5FF4
                                                                                                                                                                                  SHA-512:53B1D121698D22A821093F88A5D1270A8243D7CDC836AF338045562363C0C2AFA222D925B6FFD89C238B0775A6F946F539431FC46E9964CE2D382BE9434D2752
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......aF..%'..%'..%'...[~.$'..%'..$'...[..$'..Rich%'..........PE..L.....tg...........!..."..................................................................@.......................................... ..................p*..............p............................................................................rdata..t...........................@..@.rsrc........ ......................@..@......tg........j.................tg..........................tg........l.................tg............................................RSDS.BO..$.M..+.V.C{....C:\GitLab-Runner\builds\iVTFS-Df\0\Integration\wiservice\deploy\oi_release\UC.pdb.......................GCTL....p....rdata..p........rdata$voltmd............rdata$zzzdbg.... .......rsrc$01.....!.......rsrc$02........................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\UninstallWIService.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):162168
                                                                                                                                                                                  Entropy (8bit):7.073455164608616
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:ZbG7N2kDTHUpoub7G1GFkTvQnKKjRCCDgqqAuKF5s34FEbfPzSzz1fSJ:ZbE/HUzi1GF9n6fqjup34GbfWdM
                                                                                                                                                                                  MD5:4D27F2943AD5052773E7741645B23DD6
                                                                                                                                                                                  SHA1:61B2A58C06C45A5682A24C32E4317EE07C685CFC
                                                                                                                                                                                  SHA-256:802AEB611760C67B68BE019480F65F8EA7BAC6CC30BC89D840DF895A7C3DA55F
                                                                                                                                                                                  SHA-512:85C5CA1FAF19A1168932C1C7259314A276ACBDDBD6F60BF5B9A89DEFE8440FDDB21E9EC9C04C1EC1F03FF3951162B20059C8A7218D72933872824A2367641B6E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...Z.Oa.................j..........-5............@.......................................@..........................................p...............O..p*...........................................................................................text....h.......j.................. ..`.rdata...............n..............@..@.data...............................@....ndata.......`...........................rsrc........p......................@..@................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookAddin.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):397424
                                                                                                                                                                                  Entropy (8bit):5.896845001178328
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:rNQ4YiZ6kjpxx981KKjQ9w53HW1fnAgCGCbmScQ:JrZ6kNxx9PKdU9AYAT
                                                                                                                                                                                  MD5:1A03B412419726F712C0C944D9223EBE
                                                                                                                                                                                  SHA1:D996B0D84B4FD60A0C88375D20E8FAD796D30946
                                                                                                                                                                                  SHA-256:232B5CE24F0E7EE6341A59E7BA939B63F6C5918AD847B453234029146C3F60A0
                                                                                                                                                                                  SHA-512:705D5C732F913C8C2E392592C91128F6FE5706ACF1FDF933042A2C4D40AAC90D3DF0478E9ECE9885E718E3FF5C81E7CB76974070148B4E8D9729F52057C8CF6A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...I.tg.........." ..0.................. ........... .......................@............`.....................................O.......@...............p*... ......P................................................ ............... ..H............text........ ...................... ..`.rsrc...@...........................@..@.reloc....... ......................@..B........................H.......@...H=...............*...........................................0...........(......({...}....( ...o!...o"...o#.........%....o$....(%.....s&...}.....{....r...p(...+((...o)....{.......{....(|...o*....{.... .....{....(|...o+....{.... .....{....(|...o,....{.....".{....(|...o-....{.....o...."...A.s/...o0....s&...}.....{....r7..p.........(1...o)....{.....2.{....(|...o*....{.... .....{....(|...o+....{.... .....{....(|...o,....{.......{....(|...o-....{.....o...."..PA.s/...o0

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookAddin.dll.manifest

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (3755)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):19152
                                                                                                                                                                                  Entropy (8bit):5.393272662156399
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:2yw5tUebz1qEr5M5Q92rbYQujYSQxrjfTr+RLX8uy3i/yI72yWU8zS1Ap5kxP0Ko:tw5tUebz1qEr5M5Q92fYQKYSQxrrWtMn
                                                                                                                                                                                  MD5:B079016897676DE86F27C99F428B8808
                                                                                                                                                                                  SHA1:4A75733DF4F6D833898599100AD6ECA2CDD8AE17
                                                                                                                                                                                  SHA-256:9ACDD49BF2F04E1E6400905BA43D617A67C1260E8B97B93DB322234767FFC35A
                                                                                                                                                                                  SHA-512:4CD033711E425FA9ED5AA8C8F8DCB575C865735B3B2B3FE6DF04AA22B84A5C7F249245DFC3E5DBF6265229D71967C8C3F51F692AF30FBC1B83DDB7BB829830FC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>.<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">. <asmv1:assemblyIdentity name="WildixOutlookAddin.dll" version="1.0.0.0" publicKeyToken="ba03c384a1328835" language="neutral" processorArchitecture="msil" type="win32" />. <description xmlns="urn:schemas-microsoft-com:asm.v1">WildixOutlookAddin</description>. <application />. <entryPoint>. <co.v1:customHostSpecified />. </entryPoint>. <trustInfo>. <security>. <applicationRequestMinimum>. <PermissionSet Unrestricted="true" ID=

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookAddin.vsto

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (3784)
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5585
                                                                                                                                                                                  Entropy (8bit):5.810263805047951
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:0WLwO9Zc9vHTPkucpkF8YmORsZalUEgdF8YxzFodo9bBDA:ffFkLPdEA
                                                                                                                                                                                  MD5:DB9C70488F4DA3E672D17C6C7EEB5ED6
                                                                                                                                                                                  SHA1:49BA2D0791E5B3523FB076792843A71D4000E15B
                                                                                                                                                                                  SHA-256:5D457F66530E9A4553D428BD95ACFBFB578884561619F90BE19D171DD253DEFC
                                                                                                                                                                                  SHA-512:B138ABA72CAF390AAB04DD77F1E660751534878F2E8278E1C92433AC305AC215C30E0FA60522658FCD63D18B821D0B869BB6B369FBF3D4FD3B4C65C09DCC093B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.<?xml version="1.0" encoding="utf-8"?>.<asmv1:assembly xsi:schemaLocation="urn:schemas-microsoft-com:asm.v1 assembly.adaptive.xsd" manifestVersion="1.0" xmlns:asmv1="urn:schemas-microsoft-com:asm.v1" xmlns="urn:schemas-microsoft-com:asm.v2" xmlns:asmv2="urn:schemas-microsoft-com:asm.v2" xmlns:xrml="urn:mpeg:mpeg21:2003:01-REL-R-NS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:asmv3="urn:schemas-microsoft-com:asm.v3" xmlns:dsig="http://www.w3.org/2000/09/xmldsig#" xmlns:co.v1="urn:schemas-microsoft-com:clickonce.v1" xmlns:co.v2="urn:schemas-microsoft-com:clickonce.v2">. <assemblyIdentity name="WildixOutlookAddin.vsto" version="1.0.0.0" publicKeyToken="ba03c384a1328835" language="neutral" processorArchitecture="msil" xmlns="urn:schemas-microsoft-com:asm.v1" />. <description asmv2:publisher="Amazon.com" asmv2:product="WildixOutlookAddin" xmlns="urn:schemas-microsoft-com:asm.v1" />. <deployment install="false" />. <compatibleFrameworks xmlns="urn:schemas-microsoft-com

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookCommon.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):23664
                                                                                                                                                                                  Entropy (8bit):6.560940967824352
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:384:NVVKiOteMGnUvLMktlhw75P72brQ2ADir/6raX5w56SofousWu4Kfyg:NVkiO4MzpJwZA82ADib64ysSoQuSH
                                                                                                                                                                                  MD5:FAEA425A09F6DCC14F03D967946FC6E3
                                                                                                                                                                                  SHA1:8569910F5F5B369CAD5FA232ED5EE8A3CC38564E
                                                                                                                                                                                  SHA-256:17DD9AB9E3C5733DF4BE6D2B6F6961F053E1B22C1E44F6B611359412C1B0DB49
                                                                                                                                                                                  SHA-512:6EF24695606B67E78A02A9C5911D2325A39FB5DDA230F5DA7858EE436A317C5779AD4C01285948EF5A09813E190A3B53AE952DFD52D9D7CD38FBFE832202E4A4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....A............" ..0..*...........H... ...`....... ....................................`.................................XH..O....`...............2..p*...........G..8............................................ ............... ..H............text....(... ...*.................. ..`.rsrc........`.......,..............@..@.reloc...............0..............@..B.................H......H.......x$..$#............................................................(....*..{....*"..}....*..(....*..(....*..(....*..{....*"..}....*..(....*..{....*"..}....*..(....*..(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*:.(......(....*:.(......(....*~.(......o....(......o....(....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..{....*"..}....*..(......(......(.....r...p( ....s....(".....($.....

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):586864
                                                                                                                                                                                  Entropy (8bit):5.063139636129146
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:SIjggFdum2P4yaUXShvjSRbu05zpERTuZKKjQ9w53HW1fV/vDKjQGZ5bHWhUkzGc:KguBQyaUkJdxKdUbKXwjzF
                                                                                                                                                                                  MD5:0D4C25344365AF560C17E3EB7D649427
                                                                                                                                                                                  SHA1:3D44C52059AD8ABEBAD9578179BA7E6DED2C55E7
                                                                                                                                                                                  SHA-256:0672D29C4D7BBC087FE5ED4AAA8E2842E16D3947114DBB64EFA8613E106379F1
                                                                                                                                                                                  SHA-512:AA91EC560C875914D1F085CF80EBED3A5B2668DFDA5DC3782861C13BAD598C82A0C4A919005053754BC44BE432627ECFE446DAE9D2DD4E00FD861F0333CA8D78
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...J.tg..............0..............+... ...@....@.. ....................... .......p....`..................................+..O....@..................p*..........t*............................................... ............... ..H............text........ ...................... ..`.rsrc........@......................@..@.reloc..............................@..B.................+......H.......p....0..........T... +...........................................~....*..(....*..0..r.......~..........(&....o'....+5..((...o)...o*....~.....o+...-.r...p.(...+~.....o-.....(....-...........o/.....,..(0....*..........BY.........._g.......0..r.......~..........(&....o'....+5..((...o)...o*....~.....o+...-.r5..p.(...+~.....o-.....(....-...........o/.....,..(0....*..........BY.........._g.......0..;.......~..........(&...rm..p(1...~....~....o2...o3......,..(0....*.........

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookIntegration.exe.config

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):146
                                                                                                                                                                                  Entropy (8bit):4.983767070197417
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:vFWWMNHUz/cIMOodBQV7VKXRAmIRMNHjFHr0lUfEyhTRLe86AEDDQIMOov:TMV0kInV7VQ7VJdfEyFRLehAqDQIm
                                                                                                                                                                                  MD5:05BD64DBD44CF1C95236670D3842562F
                                                                                                                                                                                  SHA1:824B16AD66771809D9BB32001875AA3C372C7C9C
                                                                                                                                                                                  SHA-256:40859DA4B6DE7510504DD13877345D92B4DF66EA09C6C4F4E72C7AE3610974AA
                                                                                                                                                                                  SHA-512:85FD03363DCDEF8B2A45C74605E0009249ADCA8BEABE06CBB90F6B1B00761C02B6BEB02B8BBD3DDC6965E98CEA820D5023705584D5B7DA5CD2FA3CB9AAF66E9D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<?xml version="1.0"?>..<configuration>..<startup><supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.6.1"/></startup></configuration>..

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookSync32.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5364336
                                                                                                                                                                                  Entropy (8bit):6.803295159333163
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:98304:EBDD78pFjrWkS2vQHbajE/OvLenj9QG96rDcmdD:+DQnjrWkS24Hbajcfj9c4q
                                                                                                                                                                                  MD5:206E87E60FE774EC5A94EB99B8B2B070
                                                                                                                                                                                  SHA1:BD463F6584F263B85B656C58AFBB1D7AF14975DE
                                                                                                                                                                                  SHA-256:EFFC0165FADBCDC21A9C3C000922CB98A293398486A24E50A70789F257CF9F20
                                                                                                                                                                                  SHA-512:72E9FC83E77BD9E69AEC91CB836CACEC0C7A20B04A8EB02F7698DF16A3AC095BF972BCBE4F1AA85D17E00C6FA703D87763C328E7D1F717DF4B8F2C1BC21107C1
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                  Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............{..{..{......{......]{....<.{......{......{.......{......{......{..{...z..{..{..L...(y..L...{..L...{..L.>.{..{V.{..L...{..Rich.{..........PE..L.....tg...............".,<.........X.6......@<...@..........................pR......R...@.................................L(J......0N...............Q.p*....O.T.....G.p.....................G.......G.@............@<..............................text....+<......,<................. ..`.rdata.......@<......0<.............@..@.data...T....PJ..N...2J.............@....rsrc........0N.......M.............@..@.reloc..T.....O.......O.............@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WildixOutlookSync64.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):6427248
                                                                                                                                                                                  Entropy (8bit):6.617744849493833
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:98304:fd+J+bYZD4OdDcJW7+6vABZvzYMflMs0fRu:VsuM46cJWdvAvvPdd+u
                                                                                                                                                                                  MD5:9EA16A6444682CE6BC5A12433EB47453
                                                                                                                                                                                  SHA1:893F4F4E1498CB641B85368D7203B2BFE0A5B658
                                                                                                                                                                                  SHA-256:1ACE7C7705205DD8B5933C0A76827177912AD3201F5448425B11BD897BB92CC2
                                                                                                                                                                                  SHA-512:C4B0BADCA6B592D07D2DC883B2DB37EED1548A8F69117EE9CA6EB640419FABB12D62F5A59D752001F2090997F69FFE07D8651E0D57B9335CCB520D5C455FD56D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...................................0...........!..L.!This program cannot be run in DOS mode....$.......a{..%..C%..C%..Cnb.B(..Cnb.B...CjfoC"..Cjf.B6..Cjf.B/..Cjf.BO..Cnb.B>..Cnb.B0..C%..CB..C%..C9..C.f.B...C.f.B...C.f.B2..C.fmC$..C%..C$..C.f.B$..CRich%..C........................PE..d...a.tg.........."....".ZF..8......P.@........@..............................b.....u0b...`...................................................Y.......`.......].l.....a.p*...@b.(....;S.p....................<S.(....:S.@............pF.`............................text...?XF......ZF................. ..`.rdata.......pF......^F.............@..@.data...\c...0Y.......Y.............@....pdata..l.....].......\.............@..@_RDATA..\.....`......._.............@..@.rsrc.........`......._.............@..@.reloc..(....@b......Ra.............@..B........................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\WisUpdateCheckerTaskX64.xml

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):3430
                                                                                                                                                                                  Entropy (8bit):3.577875788113156
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:yei1q97/qlLaq4i77cMUF39Qg9c9V9Lvara+iaiusupRCRf9ufAuRa7T5XhPsV8n:t2ll4i77h4iGdiaipV9ll7dhFF6+
                                                                                                                                                                                  MD5:9E02EAF2592DE18E8058FD254C89FAD5
                                                                                                                                                                                  SHA1:EB5FCE36FC938929D27348CA9B0040CFED0FF8B4
                                                                                                                                                                                  SHA-256:870D3C739BEB158446DEEED2B5C92854C2726A92B3294F0C07C52AE65CD51ED1
                                                                                                                                                                                  SHA-512:5C82E7D21BA6D828EED7BF9F313C864AB59DE695DF4B62D31DD2CCB838B60E65C7EEAB56606CBBBE8FBB11A4D70ED42D1D10F3EA9834B5203BBD5B6067648226
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.T.a.s.k. .v.e.r.s.i.o.n.=.".1...2.". .x.m.l.n.s.=.".h.t.t.p.:././.s.c.h.e.m.a.s...m.i.c.r.o.s.o.f.t...c.o.m./.w.i.n.d.o.w.s./.2.0.0.4./.0.2./.m.i.t./.t.a.s.k.".>..... . .<.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . . . .<.D.a.t.e.>.2.0.2.0.-.1.1.-.0.4.T.1.1.:.5.9.:.4.6.<./.D.a.t.e.>..... . . . .<.A.u.t.h.o.r.>.W.i.l.d.i.x. .s...r...l...<./.A.u.t.h.o.r.>..... . . . .<.U.R.I.>.\.W.i.l.d.i.x.\.W.I.S.e.r.v.i.c.e. .u.p.d.a.t.e. .c.h.e.c.k.e.r.<./.U.R.I.>..... . .<./.R.e.g.i.s.t.r.a.t.i.o.n.I.n.f.o.>..... . .<.T.r.i.g.g.e.r.s.>..... . . . .<.C.a.l.e.n.d.a.r.T.r.i.g.g.e.r.>..... . . . . . .<.S.t.a.r.t.B.o.u.n.d.a.r.y.>.2.0.2.0.-.1.1.-.0.4.T.0.1.:.0.0.:.0.0.<./.S.t.a.r.t.B.o.u.n.d.a.r.y.>..... . . . . . .<.E.n.a.b.l.e.d.>.t.r.u.e.<./.E.n.a.b.l.e.d.>..... . . . . . .<.R.a.n.d.o.m.D.e.l.a.y.>.P.T.5.H.<./.R.a.n.d.o.m.D.e.l.a.y.>..... . . . . . .<.S.c.h.e.d.u.l.e.B.y.D.a.y.>..... . . . . . . . .<.D.a.y.s.I.n.t.e.r.

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\dotnet-dump.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5319784
                                                                                                                                                                                  Entropy (8bit):6.624489203238988
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:IDTNbgZbsK5pM9TJFppvgKnkt21tgJEyacq0+W3Ua+zxn1OqH:YJbNFF/gV/17sOA
                                                                                                                                                                                  MD5:1529A91171C5E94E3053B933E4244417
                                                                                                                                                                                  SHA1:1E7340E648898F396E39F86A5CC37AD396FD4918
                                                                                                                                                                                  SHA-256:9CC8F2C258EE3E9A0B15D6F289B27EA96992ADBAB92428A04BAE0A258FAF78BD
                                                                                                                                                                                  SHA-512:3FB39B3B3620B818FFD28932855E397F3EF5AD151CE396A4A650823F711065F49709013D6DED8268A7A29FFD989C372F4AE3C2CAAA7F5D51124E2A39AF05ACFC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........V...V...V.......[.......k.......v..._.W.D...9..._...V..........[......W...RichV...........PE..L......`.................P...................`....@..........................P......e.Q...@.......................................... ................Q.p*...0......p...T...................h...........@............`..(............................text....N.......P.................. ..`.rdata.......`.......T..............@..@.data... ...........................@....rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\STDDTYPE.GDL

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):23812
                                                                                                                                                                                  Entropy (8bit):5.102231290969022
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:ILAp44CzsyQKElOR2x96a7zXql8wYNz6FkjzEgqgF6Lvztmm/jb5/R6B3VjMcBU0:ILAe40VxYJ7zvWrfZmujb5mVjlQrlGwI
                                                                                                                                                                                  MD5:D46A5DFAB2AC1BB5BF39D4E256E3AB43
                                                                                                                                                                                  SHA1:FD19097E89D882E5624E8822FF8D7518D104B31C
                                                                                                                                                                                  SHA-256:0E93309B477971AD9D744FB1BB6AFDE1AF7D31223E90B5E8A4E5EA13CC5B8CD9
                                                                                                                                                                                  SHA-512:FE6C5CD5DA0E045E9F823D34E393E158F56A3136966971F0D494092257956FBEA29ACC98E94B50AA785CF426DBACDAFFCC0B0F7872E7F63A2F270A174C0F4BCA
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:*% stddtype.gdl - this file contains templates that define all MS standard datatypes..*% that appear in GPD and GDL files.....*PreCompiled: TRUE......*% ==================..*% ==== Macro Definitions ====..*% ==================....*Macros:..{.. LIST_OF_COMMAND_NAMES : (.. *%.. *% GENERAL.. *%.. *% the following are not enumerated here because they require.. *% the full Command structure. See Template: ORDERED_COMMAND.. *% and its descendants..... *% CmdSelect,.. *% CmdStartJob,.. *% CmdStartDoc,.. *% CmdStartPage,.. *% CmdEndPage,.. *% CmdEndDoc,.. *% CmdEndJob,.. *% CmdCopies,.. *% CmdSleepTimeOut,.... *%.. *% CURSOR CONTROL.. *%.. CmdXMoveAbsolute,.. CmdXMoveRelLeft,.. CmdXMoveRelRight,.. CmdYMoveAbsolute,.. CmdYMoveRelUp,.. CmdYMoveRelDown,.. CmdSetSimpleRotation,.. CmdSetAnyRotation,.. CmdUniDirec

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\STDNAMES.GPD

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):14362
                                                                                                                                                                                  Entropy (8bit):4.18034476253744
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:NcThm8JC986ITRCzEzEpYNwtd29u7ZTl8hF:xFzOnS7z0
                                                                                                                                                                                  MD5:CD0BA5F62202298A6367E0E34CF5A37E
                                                                                                                                                                                  SHA1:0507C7264281EFB362931DEB093308A5CC0F23A5
                                                                                                                                                                                  SHA-256:B5E8E0C7339EF73F4DD20E2570EE2C79F06CA983F74D175DBE90C0319C70CE3A
                                                                                                                                                                                  SHA-512:0DA97D886BBF6E06BDEF240B0CA32E80ED56140349902F2A58FCD00A95F85AEDEABB779CA99308DA39E995BDB7C179E2D7A0705643AF609EC7E05323964851F8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:*%%% Copyright (c) 1997-1999 Microsoft Corporation..*%%% value macros for standard feature names and standard option names..*%%% used in older Unidrv's.....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires.dll".. }..}....*Macros: StdFeatureNames..{.. ORIENTATION_DISPLAY: RESDLL.UniresDLL.11100.. PAPER_SIZE_DISPLAY: RESDLL.UniresDLL.11101.. PAPER_SOURCE_DISPLAY: RESDLL.UniresDLL.11102.. RESOLUTION_DISPLAY: RESDLL.UniresDLL.11103.. MEDIA_TYPE_DISPLAY: RESDLL.UniresDLL.11104.. TEXT_QUALITY_DISPLAY: RESDLL.UniresDLL.11105.. COLOR_PRINTING_MODE_DISPLAY: RESDLL.UniresDLL.11106.. PRINTER_MEMORY_DISPLAY: RESDLL.UniresDLL.11107.. TWO_SIDED_PRINTING_DISPLAY: RESDLL.UniresDLL.11108.. PAGE_PROTECTION_DISP

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\STDSCHEM.GDL

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):59116
                                                                                                                                                                                  Entropy (8bit):5.051886370413466
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:UH8K0RGmALhTYi6AmdDsaCXmSsUN2xHXgutLSsy3o+ndhr54:UH8K0RGmAd58D+iLBHad4
                                                                                                                                                                                  MD5:FC574EB0EAAF6A806F6488673154F91F
                                                                                                                                                                                  SHA1:E10B44CF7082FE5BE23FB0C19AC792D4692F6388
                                                                                                                                                                                  SHA-256:941E5318D8BBD747AFA98982C0354516079175ACD3D7485F327BCC384F4FCFB8
                                                                                                                                                                                  SHA-512:A04CAC69A4DD4BD951CDC0F5186A3F589DA2EA40D667BE855F9E5AED12ECD9F7FC79FD624361C9563A07A5DCC1250CBD628BA27A0FAD78D599CD68540F9B4F45
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:*% stdschem.gdl - this file contains templates that define all MS standard keywords..*% and constructs that appear in GPD and GDL files.....*PreCompiled: TRUE....*Include: "stddtype.gdl"......*% ==================..*% ==== Base Attributes ====..*% ==================........*Template: DISPLAY_STRING..{.. *Type: ATTRIBUTE.. *ValueType: GPD_CODEPAGE_STRING.. *Virtual: TRUE..}........*Template: ANSI_STRING..{.. *Type: ATTRIBUTE.. *ValueType: GPD_NORMAL_STRING.. *Virtual: TRUE..}....*Template: DEF_CP_STRING..{.. *Type: ATTRIBUTE.. *ValueType: GPD_DEFAULT_CODEPAGE_STRING.. *Virtual: TRUE..}....*% ==================..*% ==== Root Attributes ====..*% ==================....*Template: CODEPAGE..{.. *Name: "*CodePage".. *Type: ATTRIBUTE.. *ValueType: GPD_NONNEG_INTEGER..}....*Template: GPDSPECVERSION..{.. *Name: "*GPDSpecVersion".. *Inherits: ANSI_STRING..}....*Template: GPDFILEVERSION..{.. *Name: "*GPDFileVersion".. *Inhe

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\STDSCHMX.GDL

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2278
                                                                                                                                                                                  Entropy (8bit):4.581866117244519
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:IO673u+3WSnMVfIPQMAPFq+AP3hM927Kc509OD8jQV0Ucn05NKYKd5NK3Kr59:IB7zmrAPMtc6927e9OQEV2EPSQg/
                                                                                                                                                                                  MD5:932F57E78976810729855CD1B5CCD8EF
                                                                                                                                                                                  SHA1:50D7145076D422C03B924DD16EA237AC9B822F0E
                                                                                                                                                                                  SHA-256:3B9BE4E69B022DE9D0E30EDE70F292F3DF55AB7BE36F134BF2D37A7039937D19
                                                                                                                                                                                  SHA-512:023848F6CE826EB040EA90C8319BBF1AC26E16B66BD9470E197B3A02DAE00AE9A177996E6B069F42BC54FBF28AE7F96CCC10CF331C13B54CCF12990311F30D73
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:*% stdschx.gdl..*% this file defines the parts of the schema that are dependent on..*% preprocessor defines.....*% Since this header relies on passed in Preprocessor defines, it must not be PreCompiled...*PreCompiled: FALSE....*Include: "stdschem.gdl"....*Ifdef: WINNT_50.. *% and above .......*Template: PRINTRATEUNIT..{.. *Name: "*PrintRateUnit".. *Type: ATTRIBUTE.. *ValueType: EDT_PRINTRATEUNIT..}..*Template: PREDEFINED_PAPERSIZE_OPTION_2 *% Additional papersizes.. *% for NT5.0..{.. *Inherits: V_PREDEFINED_PAPERSIZE_OPTION.. *Instances: (.. DBL_JAPANESE_POSTCARD,.. A6,.. JENV_KAKU2,.. JENV_KAKU3,.. JENV_CHOU3,.. JENV_CHOU4,.. LETTER_ROTATED,.. A3_ROTATED,.. A4_ROTATED,.. A5_ROTATED,.. B4_JIS_ROTATED,.. B5_JIS_ROTATED,.. JAPANESE_POSTCARD_ROTATED,.. DBL_JAPANESE_POSTCARD_ROTATED,.. A6_ROTATED,.. JENV_KAKU2_ROTATED,.. JENV_KAKU3_ROTA

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\UNIDRV.DLL

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):532080
                                                                                                                                                                                  Entropy (8bit):6.370246167881384
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:/TIJ/Cq6XA1T9hPGhV9mid49b9spV7LDbTz5w:/UJ/Cq2IT/PiP4dapV7LDtw
                                                                                                                                                                                  MD5:1D574CE34B4086B8440B578497E4BAC6
                                                                                                                                                                                  SHA1:F7C55619F693CC6465B8B877C2F9E533CB84712C
                                                                                                                                                                                  SHA-256:BDCADB517FDB16078F999701B3A59CA75687CDE474F9770DF2E86AE41F9E962A
                                                                                                                                                                                  SHA-512:FB1B70C392A1E292C181C3EB4C072BD56FFFAA6674025FEB86EBDC772C98CC443D8DFC7325C84E19CB41269303D8C583A44841F938F03CC517DD25E68359560F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.....c...c...c.......c.....!.c.......c...b...c.......c.......c.......c.=.....c.......c.......c.Rich..c.........PE..d......R.........." .....d..........p........................................0......G.....`.........................................Xp......X....................K......p*... ..h...00..8............................p..................X............................text....c.......d.................. ..`.data................h..............@....pdata...K.......L..................@..@.idata..............................@..@.rsrc...............................@..@.reloc..h.... ......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\UNIDRV.HLP

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:MS Windows 3.1 help, Tue Apr 17 13:11:56 2001, 21225 bytes
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):21225
                                                                                                                                                                                  Entropy (8bit):3.9923245636306675
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:g8qo9MqLEGX9WkaNWvbAsmrEGckkwy95/HLQdu:g8rMqLwkW8AsqEHkkwy7N
                                                                                                                                                                                  MD5:6798F64959C913673BD66CD4E47F4A65
                                                                                                                                                                                  SHA1:C50FAA64C8267AC7106401E69DA5C15FC3F2034C
                                                                                                                                                                                  SHA-256:0C02B226BE4E7397F8C98799E58B0A512515E462CCDAAC04EDC10E3E1091C011
                                                                                                                                                                                  SHA-512:8D208306B6D0F892A2F16F8070A89D8EDB968589896CB70CF46F43BF4BEFB7C4CA6A278C35FE8A2685CC784505EFB77C32B0AABF80D13BCC0D10A39AE8AFB55A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:?_...........R..r...i.....(),.aabo.utadvanc.edAllows.andareas.assigned.availabl.ebebookl.etc-.hang.e..racter@Clickc. o.de..sColo.rc.0..scon.taindefa.ultdepth.directlyi.0or..sh..PD.isplaysd.ocument.P.sdraftse.n, ex..nal.featuref.ilesfl.....PrFor..m..-.to-trayf.romgraph$ic.@sh@.to.neH.@dhig.herIfima.gesininE..atio..sta.ll.@..itLe.t..Listsl.o..*.nualm.em..meta..2mS.tM!...enhoto..Oy.w.o.per\.ngop.timizh ...@.nsor..p.......spa3.Pri.ntp.0..ed.0..0er.@-spe.cific.@s1 .m.q..ityQ.0.relaB.RET.k.ghseese.l..edsets.oftSomes0ourc}.P ed.S.@sb.'.poo...gsuchsu.pporttak.est..tha...eT..'.oTo...TrueType...l.usevie@wWhenw. e.1.rw..hwil.lyouyour.;bynewof.fs/...&....;)....z4..............................N.......|CF0.lR..|CF1..R..|CF2..R..|CF4..R..|CF5..R..|CONTEXT..)..|CTXOMAP.. ..|FONT.. ..|Petra..2..|PhrImage.....|PhrIndex.....|SYSTEM.2...|TOPIC.....|TTLBTREE..!..|TopicId.=J.......................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\UNIDRVUI.DLL

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):919664
                                                                                                                                                                                  Entropy (8bit):5.991555850090375
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:uH0ARc8QCfjeDUr73Tx1yfhPXgFQ3Qe5w1lwAAwoTLARTsBqC+Zo:u7Hdv3DyfhP2QgYPwo3ArVo
                                                                                                                                                                                  MD5:816DDBD6F052DEBFCE5B7EEAE4E789FD
                                                                                                                                                                                  SHA1:1DFD070CAE07E271233AF20236831DC58B3BADB6
                                                                                                                                                                                  SHA-256:727FFB5B2BF5BDFFFBD090FD83911F731BB6776571ED1377F2139899709C51F0
                                                                                                                                                                                  SHA-512:6A02DA315AD7E886FDC4C43C0F63409A41735FB409F144DAA04422648E45FA9E7A523CF326612412C96D3E03D451F10A2BDFEB2B6BCAD7A6D8DC474281A5978D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.+]Q.x]Q.x]Q.x...x\Q.x...xfQ.x...xMQ.x]Q.x.Q.x...xHQ.x...x\Q.x...x.Q.xz..x\Q.x...x\Q.x...x\Q.xRich]Q.x........................PE..d.....}R.........." .....T..........t........................................ ............`.........................................._..{...............H........1......p*..........0................................................................................text...KR.......T.................. ..`.data....+...p...&...X..............@....pdata...1.......2...~..............@..@.idata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\UNIRES.DLL

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):856688
                                                                                                                                                                                  Entropy (8bit):5.596774833480957
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:r9aBEoNh3bBPc/s4430ye84TF1dbua5TVhRre3kf8IKHgikinL2U:paBEGbL4Np84TQazCSiR2U
                                                                                                                                                                                  MD5:A64216C3C9E82E1C6D0B5CD8020D3ABD
                                                                                                                                                                                  SHA1:5FC65E59EEEE9C5F1682E4EDB4C5D9EF69FCED88
                                                                                                                                                                                  SHA-256:56DA81C0EABE8505A96A41BA69A3DB13F30E247C39B1393CFE65C9578E47A9EC
                                                                                                                                                                                  SHA-512:079CFACC36CF4EA6E24A61B539C1A2EBC04DAE2AC93FE8EC372FA5E8934C9F93BEBC4C47188E7EC95D306ACB0E8A2C3FA2AC8605A378F30AD8C634B457168B83
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R..3}..3}..3}.H...3}.H...3}.Rich.3}.................PE..d......R.........." ................................................................@.....`.............................................................0...............p*...........................................................................................rsrc...............................@..@.........................................D..8.......P.......................@...........................................r.......s.......t.......u.......v.......w.......x.......y...................................H...............................8.......x...............................................................................0.......H.......................`.......x....................................................... .......8.......P.......h...........................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\imgprint.gpd

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7996
                                                                                                                                                                                  Entropy (8bit):5.128824009655858
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:Iwr2yWGyAH155NpoEdyb76f8upG2sIkQTkpfpBnquMpBnqF5zqps2dXRSXjKMoy8:IHa1Hj7k2sI90mHmF52pbye9U/Prtk
                                                                                                                                                                                  MD5:9CB68B693CDCDF5E9E5707E3CABCA7A7
                                                                                                                                                                                  SHA1:29A5537387519BC14138F02C5355EAB2EB923AA3
                                                                                                                                                                                  SHA-256:D79405A4F2A390407B78B1DC7FEEBE3A533EA9969F6066F5A12F189502D900F0
                                                                                                                                                                                  SHA-512:765EDDDD3CE8995DC66AB5578462F12CD52007FDEBF3C6DE412BAF4C094E17FDB286BDEB0A6ECC6FE2347C0BB846F4D2A206DD78BC128111E84918F50B57E7F8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:*% ..*% ..*% ..*GPDSpecVersion: "1.0"..*GPDFileName: "imgprint.gpd"..*GPDFileVersion: "3.1.0" ..*Include: "StdNames.gpd"..*ModelName: "Wildix FaxPrinter"..*MasterUnits: PAIR(1200, 1200)..*ResourceDLL: "unires.dll"..*PrinterType: PAGE..*MaxCopies: 99......*Feature: Orientation..{.. *rcNameID: =ORIENTATION_DISPLAY.. *DefaultOption: PORTRAIT.. *Option: PORTRAIT.. {.. *rcNameID: =PORTRAIT_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "<1B>&l0O".. }.. }.. *Option: LANDSCAPE_CC90.. {.. *rcNameID: =LANDSCAPE_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "<1B>&l1O".. }.. }..}..*Feature: InputBin..{.. *rcNameID: =PAPER_SOURCE_DISPLAY.. *DefaultOption: MANUAL.. *Option: MANUAL.. {.. *rcNameID: =MANUAL_FEED_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.9.. *Cmd: "<1B>&l2H

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\fax\wfaxport.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):940144
                                                                                                                                                                                  Entropy (8bit):6.458898363798956
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:5pcIN4eGbIp0dMAonEWorRdvfd+Xu6VrZUcu2jRwzjeL7i8XVbsT3zpf3ygLuITz:5pv2OrkeL+8U3zpvyOuARXwo1
                                                                                                                                                                                  MD5:1DED360B71C4C83EB10B0C08B6597C9E
                                                                                                                                                                                  SHA1:80CC899D7CC2483B01185CD528210A399C76DBDD
                                                                                                                                                                                  SHA-256:D9B43DF509EE41A62E74241A541723E309FA5A4470E3132E7DD2C54314DF4E2D
                                                                                                                                                                                  SHA-512:45616968A18B7789F9256CFD7E2023D6644A34B5F29ADF138E058BBDCDC2231FA3DC37DD28796F85AB1D63E60F9E9C8C010AEE162DAC9031B0E605C463966A78
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e.<..so..so..so.|pn..so.|vn..so.xwn..so.xpn..so.xvn..so.|wn..so.|un..so.|rn..so..ro..socxwn..socxvn..socxsn..socx.o..socxqn..soRich..so........PE..d...H.tg.........." ..."..................................................................`..........................................5..p...`6.......`..p........~......p*...p..l.......T.......................(.......@...............p............................text.............................. ..`.rdata..............................@..@.data...4x...P...X...:..............@....pdata...~..........................@..@_RDATA..\....P......................@..@.rsrc...p....`......................@..@.reloc..l....p......................@..B........................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtBase0x5e2f.dfu

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):306752
                                                                                                                                                                                  Entropy (8bit):6.141499008290493
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:pgwRUnZJgqtQ4pVbo2Vpm0Uf0iTVeZz7YN5Aq6B0O7G36cPQ6ONU0lOXbu:CzZD0X15Yv8Oq6B0OgPfOy0lKu
                                                                                                                                                                                  MD5:4F95ADAFA7E0E034EDF87B2BFDC4CDFA
                                                                                                                                                                                  SHA1:E6422B41682E01BAFC3D36B20F5113F8691D83EA
                                                                                                                                                                                  SHA-256:45EEC2C2BC825849E9EA8DAC2F2E6EB76353DB498EE74788CDAB82BC7F42625B
                                                                                                                                                                                  SHA-512:BAB4849A4E5BEC7895CA657C2E642D926DB897987B73E9B615F3C7C35EB58AB0E3E17D7F3EFE4A88382052C0E14F32082804EBC4744724CA4755A9C336500125
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:CSR-dfu2..0.....signed stack+app ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................2C.......@...................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\DuoMonoLedBtHeadset0x5e2f.dfu

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):894220
                                                                                                                                                                                  Entropy (8bit):6.412259430484631
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:byUN9kmRr6Ps+2GfGshqM6LcX95Efz4F0BOU0H3Y4G3GUrBxK8Xzg02/HxKJT:Dr1E+JMycX95EfzD0fexBxK8jX+wx
                                                                                                                                                                                  MD5:F80C203D2184BE4E9CDA039C517F1556
                                                                                                                                                                                  SHA1:2FE1E31B80688B88DEF0CF9AD1193C5D41C2645F
                                                                                                                                                                                  SHA-256:F40F0499B23D21C2C24DB452A5482DBD36957935F593DD4D60935DE2550B1EEB
                                                                                                                                                                                  SHA-512:A0F7A12F2A600A7796678E1C279D04A88FFF4118A9B4372719E5A1FB674D5EECA993548EEA79C376AB1D872EB6ECD2D8F87C7898C96E11842190EFDF0FCE0040
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:CSR-dfu2........signed stack+app ...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................2G...N.......................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfu.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):72304
                                                                                                                                                                                  Entropy (8bit):5.55290876998526
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:Pm17Ztk6tdWavOgwfMwob8tOb6K1L7S1Un:PK7HkQvOgwfT9Sb1fS2n
                                                                                                                                                                                  MD5:1340C9F8BF2A24074FF43CB663983AC4
                                                                                                                                                                                  SHA1:3BCF98D2D6FDA3A5BA47BF37F8B462E5683E0BD2
                                                                                                                                                                                  SHA-256:ED2448275402FD4F4F945B121B386168F0F40DDC09B33CEA0D2C42ABB1C78AE4
                                                                                                                                                                                  SHA-512:A0022237AA0211659609CF0F2188530C141ED5B7AF994A3A27CACAB6DE71D3D81863DF3E6AEB8661E5A593403439668DF9EAFDB7F0814364960ACC0FF135ECE9
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........G...&...&...&......&......&......&...^;..&...&...&......&......&......&......&......&......&..Rich.&..........PE..L.....kQ...........!.....P...........Q.......`......................................P...................................;...pu..x.......d<..............p*..........................................0k..@............`...............................text....M.......P.................. ..`.rdata...%...`...0...`..............@..@.data...(...........................@....rsrc...d<.......@..................@..@.reloc..2...........................@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\HidDfuCmd.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):24688
                                                                                                                                                                                  Entropy (8bit):6.923218305340772
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:CjEds+4wmIm0eAk582ADib6MIysSoQuSE:RdifnX8tOb6MI1L7SE
                                                                                                                                                                                  MD5:50F7B26074413150020CBBC07323B58D
                                                                                                                                                                                  SHA1:35AD00A36CF8DBC90E6E38931E6EA14C02BF1440
                                                                                                                                                                                  SHA-256:683D0127506E21F29F8F3CB51ED6955B39832D19BFADFC0E845AFD58C5738799
                                                                                                                                                                                  SHA-512:659A23E20AAA062D176AC982A50CFE46B247C13F0F8B05C8F41B8DB0F7637A4102AF79DC4DCEFA0B7890E1DA4DD87E63510634464FDAB4EFF0538AFDEE9845AE
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......P......]...]...]3$.]...]3$.]...]..]...]3$.]...]...]I..]3$.]...]3$.]...]3$.]...]3$.]...]Rich...]........PE..L.....kQ.....................................0....@..........................p...............................................6..d....`...............6..p*..........................................85..@............0..0............................text............................... ..`.rdata.......0......................@..@.data........P......................@....rsrc........`.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\msvcm80.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):490096
                                                                                                                                                                                  Entropy (8bit):6.084433322393528
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:N6KTZsHDwx0TCAQpFTfnPyFVrCqq/KrnahQ+Nnq0B/aNOjMQpynpPQ:rsHDG0TM6sKGhQ2nq0iQUY
                                                                                                                                                                                  MD5:A7AF473BDC6493C11CE071B11E324E5A
                                                                                                                                                                                  SHA1:2788D07F0D5CB3C56E845905A5669603F37159A6
                                                                                                                                                                                  SHA-256:566DC91237523877C6D5ACA8B5B5E7145937982A5409C78F148E18390DDDE069
                                                                                                                                                                                  SHA-512:18293FD7C26E00490AACBF0DEBC8A1E05C6734E0546A8F12C3EE8067D232CEAC77DF269237736A956741B4D350852EF33F909600C77B4FE8392F802AB8974840
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......-9/.iXA.iXA.iXA..W..mXA.iX@..XA.N.:.lXA...?.hXA.N.<.hXA.N.,.fXA.N./..XA.N.;.hXA.N.=.hXA.N.9.hXA.RichiXA.........PE..L...I..M...........!.........@......DT............L|................................[b....@.............................c ..d...d....................P..p*.............................................@...............................H............text....x.......................... ..`.rdata..cX.......`..................@..@.data............ ..................@....rsrc...............................@..@.reloc..N$.......0... ..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\msvcp80.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):559728
                                                                                                                                                                                  Entropy (8bit):6.452474379327697
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:XZY4lOHMwLwXBt+iaKst/Ua/hUgiW6QR7t5j3Ooc8NHkC2eWzp:XZY4lOHMM8wifstjj3Ooc8NHkC2eep
                                                                                                                                                                                  MD5:E353CFB37F8EBCAA044FEF89AD1B59F3
                                                                                                                                                                                  SHA1:F751BB2E7ED3DF10EADC73A780798C94D2EC10D8
                                                                                                                                                                                  SHA-256:81EEFF257350C01742D16971501A54755A97DD441FF91E912958F068C1763448
                                                                                                                                                                                  SHA-512:6D6CFE50E3DC87D45F25000FC992ACD3CF564A5CC928FFA3BEB99E799F528618174DE042EDCB31A73AA736CE69159A690B8D532CA1134D11134AA85F06293FE5
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............y..y..y..fv..y..y..#y.....y..2...y.....y.....y......y.....y.....y.....y..Rich.y..........PE..L...l..M...........!.....@... ...............P....B|.........................p......#.....@.............................L...T...<....................`..p*... ..H2...S..............................Pe..@............P.. ............................text...V>.......@.................. ..`.rdata......P.......P..............@..@.data...l&....... ..................@....rsrc...............................@..@.reloc..NA... ...P..................@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\msvcr80.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):637552
                                                                                                                                                                                  Entropy (8bit):6.8685472952194955
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:fxzh9hH5RVKTp0G+vphr46CIFt0yZmGyYG/q:fph9hHzVKOpRFHmGyY2q
                                                                                                                                                                                  MD5:D0DE1837CAAEDD6D0EB2E7DFE3A16601
                                                                                                                                                                                  SHA1:FF8729A83E98CA5DFC09C8BE65FCE9C45DB536A2
                                                                                                                                                                                  SHA-256:B6C7F4CB86FFA0CB076C55D659F390DF2F62A6D3FA5A896281A43E6109F77DEB
                                                                                                                                                                                  SHA-512:44C02013F4D5569F35E89C783BCC2B14C3F79FE61011656FE15B57846E99343F404C3057A006D45B83678DCFBAE269E9555D6A946A355CC47D24E5AD00F33AB3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........L.........@................!......;.............d.......................Rich...................PE..L......M...........!.....0...p......+#.......@.....x.................................F....@..........................q...~..Pc..<....`..................p*...p..P3...B...............................F..@............@...............................text....'.......0.................. ..`.rdata......@.......@..............@..@.data...Li.......P..................@....rsrc........`.......@..............@..@.reloc...7...p...@...P..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\headsetFirmwares\msvcrt.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):701552
                                                                                                                                                                                  Entropy (8bit):6.836069284857721
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:th1wtmDyLuDTFn3nLjTwDFbT82hs8mVY/P3WaNi6nS4zAEgMWPznF9SHaneX:n1wtmDyLghn3nLjYFbIv8d/fs6S4zA/u
                                                                                                                                                                                  MD5:E14902AD1CF232867326AF9C91830B51
                                                                                                                                                                                  SHA1:772FF493E1DD52B4B9399841E7DF7FCADFDD2A26
                                                                                                                                                                                  SHA-256:DA7C567F81C6E5206858B9C3AD844950CE804CD42FD26823A862D6C8D413A558
                                                                                                                                                                                  SHA-512:0DBB5438D6B448283ED379793DB205FC2E481144BC5BE6D91A54B1F9912E5C813341ED1AB53DDDD6715A64085A3FFA9BF97A07CADBE64E7228F142CE8182C0E6
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........gR.......................W.............#.............u.................Rich............PE..L..."..N...........!................r..............o......................................@.........................H ...t...........p..................p*.......2..X...8...........................p...@...x........................................text............................... ..`.data....h.......d..................@....rsrc........p.......R..............@..@.reloc...2.......4...V..............@..Bb..N.......N....a..N....a..N$...b..NH...a..Ni...b..N....a..N....a..N....b..N.......N....b..N....b..N=...b..Ne...b..N....b..N....b..N....b..N....a..N#......N....b..NM......N....b..Np...a..N.......N....b..N....a..N.......N............KERNELBASE.dll.ntdll.dll.API-MS-Win-Core-Console-L1-1-0.dll.API-MS-Win-Core-DateTime-L1-1-0.dll.API-MS-Win-Core-Debug-L1-1-0.dll.API-MS-

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\proxyex.lnk

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Has command line arguments, Archive, ctime=Tue Dec 31 14:42:44 2024, mtime=Mon Jan 13 17:19:04 2025, atime=Tue Dec 31 14:42:44 2024, length=16788080, window=hide
                                                                                                                                                                                  Category:modified
                                                                                                                                                                                  Size (bytes):928
                                                                                                                                                                                  Entropy (8bit):4.584822623113853
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:8iC0YX++h9IEQbdpF44G+buEOKs7Kr/bRp/jA/3lPDRbbdpo8u1bUXfgXfzBmV:8mJbdaAeaHANBdKbUXfgXftm
                                                                                                                                                                                  MD5:CE3C7B6BE64F8BF99A852627F4395947
                                                                                                                                                                                  SHA1:C11D5349541092661D7F63C29A8C24EEC6646413
                                                                                                                                                                                  SHA-256:93DA3D1EA03709CDECBB218C73813E29CD33E5BF68D1CE5301C096B50AE60137
                                                                                                                                                                                  SHA-512:F07145EDCC1BBEE7080BBA670907B9D4738529CE3D1E4813D9046B1091F64A197954315E6CAE04AC5CB10D9CC07786953E0F183A7FA06B306D7E5B4A1F9A4980
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:L..................F.... ........[.......e.......[..p*...........................P.O. .:i.....+00.../C:\.....................1.....-ZR...PROGRA~1..t......O.I-ZR.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....-ZR...Wildix..>......-ZR.-ZR......S........................W.i.l.d.i.x.....\.1.....-Zb...WISERV~1..D......-ZR.-Zb......S......................;.W.I.S.e.r.v.i.c.e.....h.2.p*...YV} .WISERV~1.EXE..L......YV}-Z\.....6T........................w.i.s.e.r.v.i.c.e...e.x.e.......^...............-.......]...........(.(......C:\Program Files\Wildix\WIService\wiservice.exe......\.w.i.s.e.r.v.i.c.e...e.x.e.!.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.l.d.i.x.\.W.I.S.e.r.v.i.c.e...-.-.p.r.o.x.y.e.x.`.......X.......830021...........hT..CrF.f4... .XWn......,......hT..CrF.f4... .XWn......,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\resources\cdr.db

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3039004, page size 1024, file counter 3247, database pages 22038, cookie 0x1c6, schema 4, UTF-8, version-valid-for 3247
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):22566912
                                                                                                                                                                                  Entropy (8bit):6.156856755685782
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:LweRjXxSuAId92j0CeSg0np8atm8SsANGC1KuD1+U68rNMgT9A4VMD5uuTopBtlw:DyhI8GUp8atPOG6VhvcgIHRH
                                                                                                                                                                                  MD5:3241A121BCF26F5E8B36663E3056B2CA
                                                                                                                                                                                  SHA1:FAF689142817E79961EE45D61D40EF0204488D89
                                                                                                                                                                                  SHA-256:DE37FC1A3B827F05BFF563D523CBA8007272462C24C9C1939F9B1FD13F789088
                                                                                                                                                                                  SHA-512:03530AE86E5342FF84494BEF17EEDE041D918A0193357711076649493B9020A5729CCF0737BD226B8A32ED7D88E342316050DEE9C8CD13A3AE281C2B7FE2C562
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:SQLite format 3......@ ......V..................................................................._...........V.............................................................................................................................................>.......StableFILTERSFILTERS.CREATE TABLE FILTERS (...ID BIGINT NOT NULL,...NAME VARCHAR(128) NOT NULL,...DESCRIPTION CLOB(2147483647),...STATE CLOB(2147483647) NOT NULL,...PRIMARY KEY (ID)..)-...A...indexsqlite_autoindex_FILTERS_1FILTERS.........w...##..5tableEVENTS_TAGSEVENTS_TAGS.CREATE TABLE EVENTS_TAGS (...EVENT_ID INTEGER NOT NULL,...TAG_ID INTEGER NOT NULL..).n...%%...tableEVENTS_STATSEVENTS_STATS.CREATE TABLE EVENTS_STATS (...ID INTEGER NOT NULL,...DAY INTEGER NOT NULL,...DATE DATE NOT NULL,...MIN_ID INTEGER NOT NULL,...MAX_ID INTEGER NOT NULL,...COMPLETE TINYINT NOT NULL,...PRIMARY KEY (ID)..). ........tableCLASSESCLASSES.CREATE TABLE CLASSES (...ID INTEGER NOT NULL,...NAME VARCHAR(255) NOT NULL,...NAME_LOWER VARCHAR(2...86...+,.

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\websocket-sharp.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):261232
                                                                                                                                                                                  Entropy (8bit):5.839129701085833
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:8LixO6zz8t4OXDegbQy058MP2pZrCmrrDse0ecdfF7b2gqEiyDvSmqtNlVusC51E:Dn8nDenoRXoJF3bqEiyzZ5m1FsgUNu1
                                                                                                                                                                                  MD5:B43803E3279FAB53E4393FBBF40B1949
                                                                                                                                                                                  SHA1:ACA0E59D227808534303708354D2FD4AA2B356DB
                                                                                                                                                                                  SHA-256:2B2E4F436377B7770071FD387ABE01B9D7088214E43718C9827D82E4BEA31BE6
                                                                                                                                                                                  SHA-512:ECFBB03CAC1203927A6E21267C8198A62B359CCCF2A3E0EF4D9AA3C0B0A075F43D0E6B7FFFE2E225A170ABBA122BC62FF38A8682E64886CEDDF6B0236CE325A8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....xW...........!................~.... ........... .......................@......{.....@.................................,...O.......................p*... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B................`.......H...........H...................P ...........................................)....[.W......Ok.I.....&.R..m.....I}.t...kf..b!.g....$..C....H..R.:,.L..0.3.....L.R#YP.....IL1.i(...A../G..%........0..9.........o.....j.......-...+ .s......(.............-..o........*............&.......0..q........s......o.....j.......-...+R..jo........s........ ....(......o......~......o.......jo...............-..o........*...........0^.......0..,.........(.......o......o.............-..o.

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\wildix-oi.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 13 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):175221
                                                                                                                                                                                  Entropy (8bit):3.6057445859805903
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1536:Fpznextut/yGjfT8nUa/XIHlbeA5yN6zHW156G6:vzeytxjQ9XA53HW15x6
                                                                                                                                                                                  MD5:CE4C0FAC424ECDAFD490544CF10593B6
                                                                                                                                                                                  SHA1:96B32682A928D5A9229B93586478A31E08B423F4
                                                                                                                                                                                  SHA-256:A9BAE457E58D8BAB5FB10A3A6AE67D4453CECCECBE81C5AD066E86AAFD11A45A
                                                                                                                                                                                  SHA-512:0F1BBF2C115CB9128594647FB9138B876E896B01CC86237EB00A695E38671955D718C4F9A712B4C0DD6CD40C99ABBC00B0442E5B192562B622EB3B9A660B228F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:......00.............. ..........~...........h...&......... ..J............ .(....h..``.... .....Ep..@@.... .(B......00.... ..%...G..((.... .h....l.. .... .....%......... .............. .....U......... .h.......(...0...`...................................K...]8..d;..f>..^4!.g@..jD..nH!.rM'.sO*.vR-.pN>.yV2.{X5.|Z6.~\9..^<..Q...V...\...Y...]...^...b...a...e...e...i...h...l...g...j...j...m...f...i...n...n...n...o...u...q...s...u...q...t...u...x...r...t...v...q...u...y...x...|...{...~...}...w...x...y...}.......y...x#..a@..fF..iJ..oP..pR..sV..vX..z^..~c.................!..!..+..+..,.....1..6..3..5..=..7...9..=...g...j...m...l...r...w...|..D..K..I..L..L..@..I..O..T.._..p..u..v......................................................p[...t...................1...Q...q.................../...P"..p0...>...M...[...i...y....1...Q...q..................../...P...p.................... ...>1..\Q..zq...................../...P...p.!...+...6...@...I...Z..1p..Q

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\wildix.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 13 icons, 32x32, 16 colors, 4 bits/pixel, 16x16, 16 colors, 4 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):99667
                                                                                                                                                                                  Entropy (8bit):6.776502745804188
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:RcfWrQG1GFkTvQnKKjRCFpgqmKN5+x3pJY:ufct1GF9n6FKqmrx3pi
                                                                                                                                                                                  MD5:8F898251C85EE83FE4CEF753AD127FEE
                                                                                                                                                                                  SHA1:965419910C1929CF695C530456950616B85596C5
                                                                                                                                                                                  SHA-256:31DEE18EA1C5E7723DB0C13C630517963E79930474B275322A0CDE686C5953B5
                                                                                                                                                                                  SHA-512:4397158E3EBA45B7CD27E931F353D72042B154416036874824CC1469FA9D533C4E67B7ED81A0A9EDB480F667A9716AE999D54B3F36EA1375344BB0E944AC8102
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...... ......................(.......00.............. ......................h...6......... .-....!..@@.... .(B......00.... ..%......((.... .h....E.. .... ......`........ ......p........ .....3z........ .h......(... ...@...........................................................................................................................................................................`....o...................o...l..........lo....................o..........................................h....h....................................o...o...........o...............o...............o...........................o..........................l.......................`...............o.....h....|.....................................o..........................`......................h................h.................|g......................?...................................................................................................?............(....... .................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\wiservice.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):16788080
                                                                                                                                                                                  Entropy (8bit):6.685932138686767
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:196608:cuNY9QWMli9PtASPB28MjMwKQLiUrqu3he/a86CDkG:cuCWi9PtxBzQLNR0a8/DkG
                                                                                                                                                                                  MD5:D62710F3678538E483FFC7EA112D7F68
                                                                                                                                                                                  SHA1:54212AF34D394BEF6620C2D2CBB874660EBBE523
                                                                                                                                                                                  SHA-256:0F4903937AD02B65A212319365DE974F7B6529201343271B2E4CEC76A03522EB
                                                                                                                                                                                  SHA-512:81CE8E21FB80EDD29CDCF890FF694D3D4FB5242B18EB7DDD882AC46978B259D27F636914A0F059556FBE9D8EA7A3103EDF1C6AC6300F81C2891EFBE90B3F6F43
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$..........5...f...f...f..g...f..gZ..f..zf...f..g...f..g...f..g...f..g...f..g...f...f...f...f...fp.g...fp.g...fp.g...fp.xf...f...f...fp.g...fRich...f................PE..d.....tg.........."....".p....R......>.........@.............................P......O.....`..................................................|..X....p..0...............p*...@..........p.......................(...p...@...............h............................text...*o.......p.................. ..`.rdata...V9......X9..t..............@..@.data...............................@....pdata..............................@..@_RDATA..\....`....... ..............@..@.rsrc...0....p......."..............@..@.reloc.......@......................@..B................................................................................................................................................................

                                                                                                                                                                                  C:\Program Files\Wildix\WIService\x-bees.ico

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:MS Windows icon resource - 9 icons, 16x16, 32 bits/pixel, 24x24, 32 bits/pixel
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):207760
                                                                                                                                                                                  Entropy (8bit):6.4085333829790425
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:4xJ/R9PV9qWAEWgX+RyhJs1DC0/R2eGHSWCICTDCqK79yUiG7F3kzudR1aw9M0TU:4n/R999qWAEWgX+RyhJsVC0/R2eGHSWU
                                                                                                                                                                                  MD5:F214B5E008F3D23F4F01951247BAE991
                                                                                                                                                                                  SHA1:DB7928B37992CD0635AB5FC1E89547C6BE813B55
                                                                                                                                                                                  SHA-256:CED79B247B0C8DE449312B7CF5690E8E9DA968F22CC722DA70124BDF2A84C427
                                                                                                                                                                                  SHA-512:FA5211DF2922ABC3C5091E2098DF5FAD9681E2CDC8A3287AEC49F8694B11B776A2001DED052995A34E5EF52B55A207E6069393DD9BAAEFB82CEFC98824BC7774
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:............ .h............. ......... .... .........00.... ..%......@@.... .(B...D..HH.... ..T......``.... ............... .(....p........ .:...Vx..(....... ..... .........%...%........................................................................................................................................................................)B..)B............................. ........................#3..R...U..."1........................."...!... ................Dt..]...a...Jw.........................$....!(..0O...H......*;..l...m...r...z...):......5I..;R... .....%....L...i...m...Q...$...Fo..S...U...Kq.."+..i...........w......(....>l..l...v...x...Iu..n...v...{...y...Tz..............Ut.....*...' ...=a..k.......m...?[..b...d...B\..............Ke.........+!..* ..)..."*2..R...a...e...........m...r...b...'..............-"..,!..* ..)...'...#"!..Y...o...s..._........................../$...#..,!..* ..)...'....F^..........H^.........................1%../$...#..,!..* ..)....Ni..........Ph.!.

                                                                                                                                                                                  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix\WIService\Uninstall.lnk

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Has Working directory, Icon number=0, Archive, ctime=Tue Dec 31 14:43:18 2024, mtime=Mon Jan 13 17:19:03 2025, atime=Tue Dec 31 14:43:18 2024, length=162168, window=hide
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1955
                                                                                                                                                                                  Entropy (8bit):3.4067435949592917
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:8tJbdaPkGmBER8hdahidVdahB2dahUfpft:8rZGmBRGhThBXhUh
                                                                                                                                                                                  MD5:E6106864747557FF047370C0BDFA5586
                                                                                                                                                                                  SHA1:AE7056135EB462D74C6CF00A53680E3854A792C3
                                                                                                                                                                                  SHA-256:480B01BD9F230F2E67F0242F827835B053F96072A2C80D40DE8C5E0042600AFD
                                                                                                                                                                                  SHA-512:031941A1D2BC2B2A06D2AE84FFD1A6D1D0DD7211208F0C4A1B98C52085FBCF4684AA156B93E885CCD64876C7683AE47BBD6F5589479A965B1790C937BE86A783
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:L..................F.@.. .....Y..[....#..e....Y..[..xy...........................P.O. .:i.....+00.../C:\.....................1.....-ZR...PROGRA~1..t......O.I-ZR.....B...............J.........P.r.o.g.r.a.m. .F.i.l.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.1.....T.1.....-ZR...Wildix..>......-ZR.-ZR......S........................W.i.l.d.i.x.....\.1.....-Zb...WISERV~1..D......-ZR.-Zb......S......................;.W.I.S.e.r.v.i.c.e.....z.2.xy...Yi} .UNINST~1.EXE..^......Yi}-Zb.....rT........................U.n.i.n.s.t.a.l.l.W.I.S.e.r.v.i.c.e...e.x.e.......g...............-.......f...........(.(......C:\Program Files\Wildix\WIService\UninstallWIService.exe..J.....\.....\.....\.....\.....\.....\.....\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.l.d.i.x.\.W.I.S.e.r.v.i.c.e.\.U.n.i.n.s.t.a.l.l.W.I.S.e.r.v.i.c.e...e.x.e.!.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.l.d.i.x.\.W.I.S.e.r.v.i.c.e.8.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.l.d.i.x.\.W.I.S.e.r.v.i.c.e.\.U.n.i.n.s.t.a.l.l.W.I.S.e.r.v.i.c.e...e.x.e...

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nskFFA1.tmp\System.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):12288
                                                                                                                                                                                  Entropy (8bit):5.814115788739565
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                                                                                                                                                                  MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                                                                                                                                  SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                                                                                                                                  SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                                                                                                                                  SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nskFFA1.tmp\nsExec.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7168
                                                                                                                                                                                  Entropy (8bit):5.298362543684714
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                                                                                                                                                                                  MD5:675C4948E1EFC929EDCABFE67148EDDD
                                                                                                                                                                                  SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                                                                                                                                                                                  SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                                                                                                                                                                                  SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\LICENSE.electron.txt

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1096
                                                                                                                                                                                  Entropy (8bit):5.13006727705212
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:36DiJHxRHuyPP3GtIHw1Gg9QH+sUW8Ok4F+d1o36qjFD:36DiJzfPvGt7ICQH+sfIte36AFD
                                                                                                                                                                                  MD5:4D42118D35941E0F664DDDBD83F633C5
                                                                                                                                                                                  SHA1:2B21EC5F20FE961D15F2B58EFB1368E66D202E5C
                                                                                                                                                                                  SHA-256:5154E165BD6C2CC0CFBCD8916498C7ABAB0497923BAFCD5CB07673FE8480087D
                                                                                                                                                                                  SHA-512:3FFBBA2E4CD689F362378F6B0F6060571F57E228D3755BDD308283BE6CBBEF8C2E84BEB5FCF73E0C3C81CD944D01EE3FCF141733C4D8B3B0162E543E0B9F3E63
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:Copyright (c) Electron contributors.Copyright (c) 2013-2020 GitHub Inc...Permission is hereby granted, free of charge, to any person obtaining.a copy of this software and associated documentation files (the."Software"), to deal in the Software without restriction, including.without limitation the rights to use, copy, modify, merge, publish,.distribute, sublicense, and/or sell copies of the Software, and to.permit persons to whom the Software is furnished to do so, subject to.the following conditions:..The above copyright notice and this permission notice shall be.included in all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,.EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF.MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND.NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE.LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION.OF CONTRACT, TORT OR OTHERWISE, ARISIN

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\LICENSES.chromium.html

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):9174266
                                                                                                                                                                                  Entropy (8bit):4.780443521000387
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:KPQQ/6MP6P5d1n+wRcXe1Lmfpm6k626D6b6+eGnkywBIpv:Cy8OeG8k
                                                                                                                                                                                  MD5:BD0CED1BC275F592B03BAFAC4B301A93
                                                                                                                                                                                  SHA1:68776B7D9139588C71FBC51FE15243C9835ACB67
                                                                                                                                                                                  SHA-256:AD35E72893910D6F6ED20F4916457417AF05B94AB5204C435C35F66A058D156B
                                                                                                                                                                                  SHA-512:5052AE32DAE0705CC29EA170BCC5210B48E4AF91D4ECEC380CB4A57CE1C56BC1D834FC2D96E2A0F5F640FCAC8CAFE4A4FDD0542F26CA430D76AA8B9212BA77AA
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview: Generated by licenses.py; do not edit. --><!doctype html>.<html>.<head>.<meta charset="utf-8">.<meta name="viewport" content="width=device-width">.<meta name="color-scheme" content="light dark">.<title>Credits</title>.<link rel="stylesheet" href="chrome://resources/css/text_defaults.css">.<link rel="stylesheet" href="chrome://credits/credits.css">.</head>.<body>.<span class="page-title">Credits</span>.<a id="print-link" href="#" hidden>Print</a>.<label class="show show-all" tabindex="0">.<input type="checkbox" hidden>.</label>.<div class="open-sourced">. Chromium software is made available as source code. <a href="https://source.chromium.org/chromium">here</a>..</div>..<div style="clear:both; overflow:auto;"> Chromium <3s the following projects -->.<div class="product">.<span class="title">2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package</span>.<span class="homepage"><a href="http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html">homepage</a></span>.<labe

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\Wildix Collaboration.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):176619800
                                                                                                                                                                                  Entropy (8bit):6.749624619122867
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:1572864:SgRMg/aKxl4b7qCDQtjovZT78wLF2pArKgDz6ObiISXD+Dyj3eRalD2kGpTe/2H1:Gg/geeFXzGa9FzV
                                                                                                                                                                                  MD5:5DAD490CE110FCDF62D3F38296A3FC44
                                                                                                                                                                                  SHA1:D6ACC8D53CED56D53FE3EFAAF1E35D508D00AD56
                                                                                                                                                                                  SHA-256:E1AD240972ABB42861807E99AB09DB018367EA04462D201D48D55E5E353FB6B9
                                                                                                                                                                                  SHA-512:A3F81654B654006588BDB41664F5440B4FE97BE8DE01E4FF64D7DD4716531C411A477085C43D0BB5F38BD7CDEAB43C2865F345F53172CE781A085F066A165E4C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........."......4...N.................@.....................................M....`.........................................G....j..4...T....0..p....pe...F......S.....................................(...@o..@.......................`....................text...U2.......4.................. ..`.rdata.......P.......8..............@..@.data.....D..p ......P .............@....pdata....F..pe...F...).............@..@.gxfg....A...P...B....p.............@..@.retplne............. q..................rodata.............."q............. ..`.tls....i...........4q.............@...CPADinfo8...........:q.............@...LZMADEC.............<q............. ..`_RDATA..\............Nq.............@..@malloc_h..... .......Pq............. ..`.rsrc...p....0.......Rq.............@..@.reloc...............w.............@..B........................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\chrome_100_percent.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):154426
                                                                                                                                                                                  Entropy (8bit):7.915623092881329
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:AzwJCGIekwENgMBsFAXg6VKdL2o418Gb0+VRLf0ld0GY3cQ3ERVm2I:Azw1IekmMBdQXK18Gb0OV8ld0GecQ3Ey
                                                                                                                                                                                  MD5:B1BCCF31FA5710207026D373EDD96161
                                                                                                                                                                                  SHA1:AE7BB0C083AEA838DF1D78D61B54FB76C9A1182E
                                                                                                                                                                                  SHA-256:49AFF5690CB9B0F54F831351AA0F64416BA180A0C4891A859FA7294E81E9C8E3
                                                                                                                                                                                  SHA-512:134A13AD86F8BD20A1D2350236269FD39C306389A600556A82025D5E0D5ADAAB0709D59E9B7EE96E8E2D25B6DF49FEFEA27CDCCEFE5FBA9687ABF92A9A941D91
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........?.........C.......................m.......................^.....X.................q".....$....1/.....9.....<.....A....^D.....F.....H....FK....6M....fO.....S.....V..(..Z..)..[..+..\..-..^....._..5.k`..6..f..8..l..9..n..:..q..;..u..<..x..=..{..>.A...?.....@.h...A.....B.....C.....D.....F....e.....j.[...k.Y...l.....m.....n.....o....p.&...q.U...r....................................................R.........B........................@....."....,.../...1....:....<....@...>E...NP....Q...3Z....a....mf.....k.....r....it.....x.....|....a......................]................c.................................................................^...........b...........t...........=.....k... .....".^...#.....(.^...*.3...+.....,.....D.....E.....F.~...G.....H.....I.Y...J.-...K.....L.....M.....N.1...O.....P.....Q.....R.....S.....T..!..U..'..W.\-..X.8...Y.....Z../..[..0..\.J1..]..1..^.53.._.+4..`. 5..c..9..D..=..E.>>..F..>..G..>..H..?..I..@..J..A..K..A..L..B..M.qB..N..B

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\chrome_200_percent.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):235060
                                                                                                                                                                                  Entropy (8bit):7.947114238566176
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:gDQYaSN6svydrI8jDQUgx5GMRejnbdZnVE6YoppO4:NfSN6svydZ6edhVELoXO4
                                                                                                                                                                                  MD5:E02160C24B8077B36FF06DC05A9DF057
                                                                                                                                                                                  SHA1:FC722E071CE9CAF52AD9A463C90FC2319AA6C790
                                                                                                                                                                                  SHA-256:4D5B51F720F7D3146E131C54A6F75E4E826C61B2FF15C8955F6D6DD15BEDF106
                                                                                                                                                                                  SHA-512:1BF873B89B571974537B685CDB739F8ED148F710F6F24F0F362F8B6BB605996FCFEC1501411F2CB2DF374D5FDAF6E2DAAADA8CEA68051E3C10A67030EA25929E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:..........?.........J..........................................%.....*.....-....\5.....9.....A.....E....IZ.....o....(t.....~.........s...........e...........L.....p.....y...(.3...).....+.....-..........5.....6.1...8.....9.=...:.....;.....<.t...=.$...>.....?.....@.....A.....B.....C.(...D..%..F..)..e.?1..j..6..k./9..l..<..m..J..n.WN..o.|Z..p..f..q..k..r..l.....m.....q.....t.....w.....z....'~....D........................J..............#.............a....&...................V............c........".....'....n-....P4.....6.....:.....>....6H....bK.....S.....W....ba.....k.....o.....q....cz......................................5...........p.....G..................................%....."... .@...".Y...#.....(.K...*.|...+.r...,.R...D.5...E.c...F.}...G.....H.\...I.....J.b...K.....L.f...M.....N.w...O.9 ..P.'%..Q..-..R..4..S..;..T..A..U..F..W..L..X..M..Y..N..Z..P..[.)Q..\.JR..].>S..^..U.._..V..`.pX..c.4e..D..u..E..u..F..u..G.Kv..H..v..I.,x..J..y..K.[y..L..y..M..z..N.mz

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\d3dcompiler_47.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4916712
                                                                                                                                                                                  Entropy (8bit):6.398049523846958
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:KCZnRO4XyM53Rkq4ypQqdoRpmruVNYvkaRwvhiD0N+YEzI4og/RfzHLeHTRhFRNc:xG2QCwmHPnog/pzHAo/A6l
                                                                                                                                                                                  MD5:2191E768CC2E19009DAD20DC999135A3
                                                                                                                                                                                  SHA1:F49A46BA0E954E657AAED1C9019A53D194272B6A
                                                                                                                                                                                  SHA-256:7353F25DC5CF84D09894E3E0461CEF0E56799ADBC617FCE37620CA67240B547D
                                                                                                                                                                                  SHA-512:5ADCB00162F284C16EC78016D301FC11559DD0A781FFBEFF822DB22EFBED168B11D7E5586EA82388E9503B0C7D3740CF2A08E243877F5319202491C8A641C970
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Antivirus:
                                                                                                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........|3..]...]...]..e\...]...\.5.]..e...]..wX...]..wY...]..e^...]..eX.y.]..eY...]..e]...]..eU./.]..e....]..e_...].Rich..].................PE..d...^.}`.........." ......8..........<).......................................K.....:FK...`A........................................`%G.x....(G.P.....J.@.....H.......J..%....J.....p.D.p....................S<.(...pR<.@............S<.(............................text.....8.......8................. ..`.rdata...F....8..P....8.............@..@.data...`....@G......@G.............@....pdata........H......@H.............@..@.rsrc...@.....J......@J.............@..@.reloc........J......PJ.............@..B........................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\ffmpeg.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2866176
                                                                                                                                                                                  Entropy (8bit):6.71639664914218
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:G9T1onpO0KVy2xq6To8i4BZy7+niuoen6yfzv9x0WFJDI:upKNMo8rBYinp/FFJM
                                                                                                                                                                                  MD5:8F3D89744AE11B0925FAF4B64890D0D7
                                                                                                                                                                                  SHA1:6A8F744BE1F76E9AD28287D969D8D24F5F1E7623
                                                                                                                                                                                  SHA-256:11DAF2BF89A3AC660533B3E487E0624668B35F45D2BD94E9B0324BCE8758DE60
                                                                                                                                                                                  SHA-512:250C06E70276C08D3D8A63744AF6C570B6288E1D8FED8DEED915C79BF0A80C3CD0A7E64C55A16FCBC50CCBCBC9910B26F87983CEEEA8ED28A75C1B8EC22DB53F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ......".........0.........................................u...........`A..........................................).......).(.............t.4.............u.,4..<.)..................... .).(...P.".@...........(.).P............................text...U."......."................. ..`.rdata.......".......".............@..@.data.....I...*.."...~*.............@....pdata..4.....t.......*.............@..@.gxfg....,...@u......R+.............@..@.retplne.....pu.......+..................tls..........u.......+.............@..._RDATA..\.....u.......+.............@..@.reloc..,4....u..6....+.............@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\icudtl.dat

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):10717680
                                                                                                                                                                                  Entropy (8bit):6.282426578921538
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:196608:WgPBhORiuQwCliXUxbblHa93Whli6Z26wO+:W8wkDliXUxbblHa93Whli6ZUF
                                                                                                                                                                                  MD5:74BDED81CE10A426DF54DA39CFA132FF
                                                                                                                                                                                  SHA1:EB26BCC7D24BE42BD8CFBDED53BD62D605989BBF
                                                                                                                                                                                  SHA-256:7BF96C193BEFBF23514401F8F6568076450ADE52DD1595B85E4DFCF3DE5F6FB9
                                                                                                                                                                                  SHA-512:BD7B7B52D31803B2D4B1FD8CB76481931ED8ABB98D779B893D3965231177BDD33386461E1A820B384712013904DA094E3CD15EE24A679DDC766132677A8BE54A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...'........CmnD........ Copyright (C) 2016 and later: Unicode, Inc. and others. License & terms of use: http://www.unicode.org/copyright.html ......E.......E.......E..P/...E.../...E..P7...E...7...E...h...F...h.. F..Pi..0F......DF.....WF.....jF..P...}F.......F..`....F.......F.. ....F.......F..0....F.......G......G......(G.....;G..@...NG......aG.....tG.......G.......G..@....G.......G.......G.......G..P....G.......H.......H..P...2H......EH..`...UH......hH......yH..P....H.......H.......H..`....H.......H.......H..P....I.......I......-I..@...=I......PI......aI..@...uI.......I...0...I.. 1...I..p1...I...e...I...e...I...i...I..`i...J...i..)J...K..BJ..p...^J..."'.uJ..P.'..J....'..J...5'..J..06'..J...>'..J..P?'..K...D'..K...F'.0K...H'.IK...V'.hK....(..K....(..K..P.)..K....)..K..pW*..K..P.*..L...*+.?L..p.+.bL....+..L...U,..L....,..L....,..L....,..L..@.,..M....,.-M..P.-.IM.. e-.`M...e-.~M...R/..M.../..M..0.0..M..@.0..M..P.0..M....0..N....0.!N...,0.9N...,0.NN..0-0.fN...-0.vN...Y0..N...Z0..N..

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\libEGL.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):479232
                                                                                                                                                                                  Entropy (8bit):6.363205504415342
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:0Jk+JyNnPUXhbZ/+a1KYsjNDsrJg3qkrzxwbP6wvEMrwrD7Qy/x6TYtaoB+YEB0+:qbTcZ6+lOP9rmD7QMYYtaFy951wj5ze
                                                                                                                                                                                  MD5:F1FE23058E7EECE1DE389A0C882BC1AD
                                                                                                                                                                                  SHA1:E83B15D2BBCB6FB2867651A2A9797ED3B6827947
                                                                                                                                                                                  SHA-256:A4336A318E8D92A47843D5FE429DC6D1FF7271D8BAC189D719BC8074A128FD6E
                                                                                                                                                                                  SHA-512:D7D51FCB05542FA81E871DD9F1DD960C363107D1C25311DCBF81E440D1275054C121A788DEF8DBAE47C129E95FD990042E2D39E6EF2BDFB253A114146EB33973
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ....."...(............................................................`A.........................................4..h....B..(.......x.... ..pA..............H...,,.......................+..(...@A..@............E...............................text.... .......".................. ..`.rdata..,....@.......&..............@..@.data....K....... ..................@....pdata..pA... ...B..................@..@.gxfg... &...p...(..................@..@.retplne.............6...................tls....!............8..............@..._RDATA..\............:..............@..@.rsrc...x............<..............@..@.reloc..H............B..............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\libGLESv2.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7692800
                                                                                                                                                                                  Entropy (8bit):6.501902638931627
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:98304:9x8EI0RtffaYFH3lV5D3u31okx/6bXm3q:LhXfTFHmoKgCq
                                                                                                                                                                                  MD5:76141455CD2705897D38E9785117E405
                                                                                                                                                                                  SHA1:EE091646B6273BF006CFCD84FD54384B0A9D0E0F
                                                                                                                                                                                  SHA-256:7B0BAA9E2E731716EFE3E0BEBF6A0BCD2D64F35D9F62B20D23ACB4E098C9BE36
                                                                                                                                                                                  SHA-512:551B79AAFFDC469448477AA72554458235F118559EECC567C232599A4193B2639C14EAFACAD533485089AF58701AEABEE690B43F36E41342F928D4973EFC02E1
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ......Y..t........J......................................`v...........`A........................................}.l.......m.d....pu.......r..U............u.,....al.....................p`l.(.....Z.@.............m.......l.@....................text.....Y.......Y................. ..`.rdata..|.....Z.......Y.............@..@.data...\.....n......nn.............@....pdata...U....r..V....q.............@..@.gxfg....,....u......Tt.............@..@.retplne.....@u.......t..................tls....B....Pu.......t.............@..._RDATA..\....`u.......t.............@..@.rsrc........pu.......t.............@..@.reloc..,.....u.......t.............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\af.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):489715
                                                                                                                                                                                  Entropy (8bit):5.4071564375394185
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:3an0y+3zo5ExirXKhaG1B2+H2JynyaI4IVzZo0vgElgA2W0PSq+2ss30fzO75g6D:3a0y+3zouxkXyd1B2+H2JynyaI4IVzZW
                                                                                                                                                                                  MD5:2602CD68EBE25F12F5D9892D5FA92B11
                                                                                                                                                                                  SHA1:478766DCC8CE4427872BEBD81AD929F7AEF250A3
                                                                                                                                                                                  SHA-256:E36A906908A92DAD39AD8E5B344B38C538574E35C5386AC2B901640B202D3228
                                                                                                                                                                                  SHA-512:6BBECBEAA6E09857A5698A280475496498A88488249025B2F58CA7A8493A77BC13FCD783041A6198F58696F4E2A84C3DBEE0891E89800DAC6F3FB317F70C5492
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........T%..e.R...h.Z...i.b...j.n...k.}...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......%.....*.....2.....:.....B.....I.....P.....W.....X.....Y.....^.....k.....z.................!.......................U.......................g.................%................. .....9.............................j.......................^.......................m.......................y.......................u.........................................2.................c.....z.................,.....=.............................J.............................e.......................Y.......................5.....].....f.................%...................................z...........(.....?.............................z.......................X.......................P.......................s.......................F.......................F.......................l...........8.....L...........%.....d.................J.....~.................!.....E.....S.................,.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\am.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):794986
                                                                                                                                                                                  Entropy (8bit):4.8798900601209185
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:/x1ATZg8/xp1GCj+VRRz085d9tcV03OzPkS:Z1J5Q
                                                                                                                                                                                  MD5:AC7A72616A544CDB022EDA20B0DC8872
                                                                                                                                                                                  SHA1:50B7F8363894A7E33042412804EFA2BDA510ABA2
                                                                                                                                                                                  SHA-256:1847F8517D8F26C856ADBF08DF3996D5F3B7AB61378199C138346BFE29675F01
                                                                                                                                                                                  SHA-512:D5B3B851A0D6615ECCC1223CFBA6B285AC8387E0C0F9DF1FB5BD95C9A208813B31F56546FC9C624E7F3A12B35AB7E8ACD13EA85025B5F9CF74DEF60AD679A546
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........h%..e.z...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.!...z.0...|.6...}.H.....P.....U.....].....e.....m.....t.....{.................................................................N.....n...../...........^...........a.....#.......................=.................N.................)...........".....l........... .................!.......................K...........d.............................p...........;...........,.....K.....&...........m.................q.................4.......................`.............................p.......................).................,.................!...........9.................&.................. ..... ....b!.....!....."....."....."..../#....V#.....#....N$.....$.....$....C%.....%.....%.....&.....&....O'.....'.....'....~(.....(.....)....<).....)....`*.....*.....*.....+.....+....b,.....,....U-......................./....30.....0.....0.....1....L2.....2.....2....:3.....3.....3.....3.....4....*5.....5

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\ar.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):871955
                                                                                                                                                                                  Entropy (8bit):4.902875426840413
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:4P9FlB5/G/d/RXCwR14fvPUKzUUk/K5MN0j+OzIh4pG:4LhQza5R+9
                                                                                                                                                                                  MD5:4D0A0771176823BF004F9182B94BDE82
                                                                                                                                                                                  SHA1:7E0601D8DCA0404736787D85918D1A680A7E68EC
                                                                                                                                                                                  SHA-256:04E83274DEC0274DCCBD97DABCEFE3174EA1DA5B62B5D24E047E2036B93F3482
                                                                                                                                                                                  SHA-512:6DD144273252026BCF08BE52189EA5A15410A42A616C9FAC14EDB4BE7D98023B65FA1746ED50B654E57F140790E8A92B1080F2F035ADB81B7D10AA473F2DCA61
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........%8.e.....h.....i.....j.%...k.4...l.?...n.G...o.L...p.Y...q._...r.k...s.|...t.....v.....w.....y.....z.....|.....}.........................................................................K.............................;....._...................................m.......................b.................w...........Q.....h...........[.................D...........(.....m.....(...........:.....`.....?.......................S...........G.....u.................Q.....l.....s.....`...........?...........M.....w...........>...................................G.....g.................A....._...........^.................T...........>.....b...........g.................C ..... .....!....$!.....!....["....."....."....]#.....#.....$....5$.....$....0%....e%.....&.....&.....'....$'.....'....G(.....(.....(....L).....).....).....).....*.....+....T+....z+.....,....q,.....,.....,.....-..........t/...../....S0.....0....11....h1.....1....v2.....2.....2....33.....3.....3.....3.....4....75.....5.....5....K6

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\bg.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):906398
                                                                                                                                                                                  Entropy (8bit):4.655210398798349
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:E+CDcquMMLYzzQkECPUwVbtcHU373ZA+3aAKHkVDYyKzumpod2nm5c0XuGox3QN3:hCDcquMMLYUKUwVbtcHU373Z93arkVDn
                                                                                                                                                                                  MD5:D0B47C1CF62B29B866CA630958A019FB
                                                                                                                                                                                  SHA1:BAE6E1AF9D7225584510443AED21A40FCEA349E3
                                                                                                                                                                                  SHA-256:24C09721C3CB4F3FE7EB403113375257197BED808295C6B85532409B6664DB45
                                                                                                                                                                                  SHA-512:39472B1F6859C10CC782A303761D63A2409807D7D342C3BC558075284CF455A26C3E1B9B4CE67A5FBD84E6C4B621ADCFD8FD8A819CFC25554962454E5F4B5816
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........W%..e.X...h.`...i.h...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....d.........................................a...........i...................................l.................]...........$...........O.................T...........,.....R.....>...........^.................p...........<.....&...........r...........p.............................[.................*...................................R.....y..... .................+...........P.................w...... ....g ..... ....6!.....!....."....)"....."....<#.....#.....#....5$.....$.....$.....%.....%....J&.....&.....&.....'.....(....K)....})....'*.....*.....*....%+.....+....-,....o,.....,.....-....E................../.....0.....0....l1.....2.....2.....2.....3.....3....x4.....4.....5.....5.....6.....7....>7.....8.....9.....9.....9.....:.....;.....<....O<.....=.....=.....>....E>.....>....p?.....?.....?.....@.....A....6B

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\bn.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1170199
                                                                                                                                                                                  Entropy (8bit):4.270267200548805
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:iOXg1lMf3u3jGVxXD7unXU7AI2HSzhb0Ylf14/QISydDbsh8VBbFKQg5hNDl2Ob:Hw3MvpXD7unLxSydHsh8VBbG5Hld
                                                                                                                                                                                  MD5:83A0030387AFBE1CD2D6790079FC5024
                                                                                                                                                                                  SHA1:9D4253D253167AEE6F3BA9CF6F8F376266832D00
                                                                                                                                                                                  SHA-256:BF2FA4C57095E0BE63E8CD1AE6D2389D6417A91D8C9E1970EEEE5363C46F0D27
                                                                                                                                                                                  SHA-512:20C92C5C3634A9663D933AA98D9356E18BEB8927F2975778967A65CC25522560784EABECFE99037008689CF3B77093C35D3F109F32AE2DB2160E9798415A3771
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........Q%..e.L...h.T...i.e...j.q...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.!.....)...........6.....>.....C.....K.....R.....Y.....`.....a.....b.....g.............................C.....M...........E.....:...........................................................H...........D...........q...........^...........c.............................w.....].....4.............................]...........Y...........k.............................O.....s.....k...........e.......................?...........w ..... ..... ....v!....."....;"....^"....>#.....#....W$.....$....S%.....%....O&....{&....3'.....'....'(....M(.....(.....).....).....*.....*....V+.....+.....+.....,................./.....0.....0....d1.....1....A2.....2.....3....<3.....4.....4....75....c5....K6....$7.....7....38.....8....~9.....9.....9.....:.....;.....;....%<....(=.....=....~>.....>.....?....=A....0B....cB.....C.....D....AE.....E.....F....EG.....G.....G.....H.....I.....I....&J....,K.....L

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\ca.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):551632
                                                                                                                                                                                  Entropy (8bit):5.40551102269728
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:WM4Hy2Q57BREeApk73K5PqF4N3Mw2juwHzejm0t3lvqbETX9/RSHhIsjcmlLEYuT:+itVzaBRn1WDMN8UpOO5J/ras
                                                                                                                                                                                  MD5:D5D6200B582B9B12A0BD8C773DEA0474
                                                                                                                                                                                  SHA1:341650B76AF1C74129A97725673B646B7256D4D6
                                                                                                                                                                                  SHA-256:F4DA114B473C34E0946B12289F6E802FCEDE2F66013D4F184C729A1F8AE7350E
                                                                                                                                                                                  SHA-512:1465E7214C4AE818B545778B831B7773F0373726F705160BA4DF33CE3C206A2166C8B6519336FD2B1E405EF6811D2CFDC2A655F1B767BF9B4E083C6A33B34AE4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........U%..e.T...h.\...i.d...j.p...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.......'.....,.....4.....<.....D.....K.....R.....Y.....Z.....[.....].....w.......................s...........o.................c.................X...........<.....[.................V.....s...........".....U.....h.................L.....]...........G.................<...................................,.....@.................1.....E...........#.....h.............................).......................&.....v.......................T.......................T.......................c.......................P.......................).....t.......................d.................,.......................a.......................\.................$.....s.................B.................(.............................e.......................o................. ...........E.................R.................( ..... ..... ....*!....J!.....!.....!....."....."....."....."....6#....R#

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\cs.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):568567
                                                                                                                                                                                  Entropy (8bit):5.839431034543846
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:0/AkCOZjqspN1oAUGCDAfiebO5zU8rEsiNOPY3SBFmPy38Qu:0dJZuSPoAUTbe65zU8rEsiNOA3SzmPH
                                                                                                                                                                                  MD5:0E52AC897F093B6B48B5063C816F6CA1
                                                                                                                                                                                  SHA1:4F4FEBB42FD7CDD0BC7DF97C37DB0E4AA16518E4
                                                                                                                                                                                  SHA-256:5635587F6FFB152C027B4357092FE78168E31CBC7F6BE694C627F819C1AD1D73
                                                                                                                                                                                  SHA-512:9CF5594AC47AE967BD4221F61B92C97343EA0C911FBE992D35A9391E3E1E6560B1B41BD031074CD262A622CA88AF3B25BA33575B456A4D5B8A7B897233C0A54D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........?%'.e.(...h.0...i.8...j.D...k.S...l.^...n.f...o.k...p.x...q.~...r.....s.....t.....v.....w.....y.....z.....|.....}...........................................&.....-.........../.....1.....A.....S.....e.....z.......................'................. ...../...........2.........................................=.......................9.......................<...................................S.....u...........\.........................................9...................................G.....a.................0.....G.......................*.....y.......................h.......................|.................&.....w.......................l...................................&.....:.........../.....s.................".....=.....Q.......................2.................%.....;.................\.................9.....T.....h...........K.....{.................j.................6...................................`.................d ..... ..... ..... ....Y!....~!.....!....."....l"....."

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\da.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):513715
                                                                                                                                                                                  Entropy (8bit):5.450169156228439
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:gRsuNwWzVPsP5sbse814e8jKwlRDdJwL2obEZZaFRQ5Mk2rkvb3d4nTGqFwJ:g6qskjdTv5M/rvTpu
                                                                                                                                                                                  MD5:D5BF4ABA2D82744981EBF92CCAADF9C0
                                                                                                                                                                                  SHA1:1A1C4EA1D4ECF5346EE2434B8EB79D0BF7B41D46
                                                                                                                                                                                  SHA-256:0C75ACB008DD5C918D8A1A73C22FA7C503961481BF1708F6BDA0DA58693C3C08
                                                                                                                                                                                  SHA-512:5BCCC18687FCEFAD5E78C5C8072ACEA36CE7687C5B848A1E0367C82A38F32F46402FF01EDD4FB1379EE77083EF0E1964E24BAD87B18CE78077B28F0C1BD4BD08
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........Y%..e.\...h.d...i.u...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.0.....8.....=.....E.....M.....U.....\.....c.....j.....k.....l.....n.....|.......................*......................._.................&...........2.......................k.......................^.......................F.....p.....~...........G.....v.................|.................E.......................l.................%.................~...........+.................).............................f.......................?.......................*.......................0.......................).............................h.......................Q.....~...................................B.......................&.....z.......................W.....t.................l.................<.......................<.......................T.......................P.............................'.....].................X.......................2 ....N ....[ ..... .....!....T!

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\de.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):549246
                                                                                                                                                                                  Entropy (8bit):5.505323401507658
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:VJdzQHdf003K7UpKD93gFahmOW2xdVfwAXaOV5jbt5ZRYJoUjM5QIvCWa:VbIC03K7UpggFa0DtE3t5xUqvvCWa
                                                                                                                                                                                  MD5:0BC4A1CF47A5AD423969F22AF3030231
                                                                                                                                                                                  SHA1:3F6F19725068509EFD426600A6B512158267EB58
                                                                                                                                                                                  SHA-256:E33EA8240835CC775A9E88942AA2905D17CEF84929602FD2C4F26F33F9BDC52A
                                                                                                                                                                                  SHA-512:D9AB8855472077FBD7277A73FCB2BFA8CBB592F39E62957ACD91BFAC2E51DC24BA23D6C6DACB8DCD4EDFFFF5A59B2BB4D9761F70327AFA0A668BD55E95B00864
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........$y.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.+...y.1...z.@...|.F...}.X.....`.....e.....m.....u.....}.......................................................................^.................K................. .................d.....~...........t.................5.......................`.............................$.....[.....}.............................n...........,.....=...........?.....}...........&.................&...........e.................J.......................[.......................n.............................$.....g.....~...........l.................#.......................L.......................{.........../.....A...........p.................G.......................A.......................?.......................z...........2.....f...........3.....Q.....h...........M.....y............ ..... ..... ..... ....Z!.....!....2"....<"....."....Y#.....#.....#....5$.....$.....$.....$....Q%.....%.....%.....%....z&.....&....0'

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\el.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):994931
                                                                                                                                                                                  Entropy (8bit):4.737922927263801
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:2YcaPdGgxh1hxFJiL9+0JXDsSaSmqHuuD2Np6P4j/MAVH8yeVd85tRDQr3egif27:2YcaPdGgxh1hxFJiL9+0JXDsSaSmqHbp
                                                                                                                                                                                  MD5:71ABCFDF468DC5813610DD32234BE946
                                                                                                                                                                                  SHA1:AA4C14E702B06E391834E4CFC58929B873BC3D1A
                                                                                                                                                                                  SHA-256:F1E01EEB90C0842F7AF927F65D034FC93FDBCBCB9B9EA7E31C79761C316C8FB8
                                                                                                                                                                                  SHA-512:615B591E4BD744848E6E15B729E543FAA9AB06DB11F042FFF12FFEE6FD3E7802C9DA37D8784004E6727FC39CDE17BECB60C1158DEC401E20A088056451693BB8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........X%..e.Z...h.b...i.j...j.t...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.#.....+.....0.....8.....@.....H.....O.....V.....].....^....._.....a....................... .....G.....%.............................h.................z.....&.....X.....{...................................s...........9.................8.................&....._.....g.....a...........0.................A.....\.....C...........q.................H.................2.....*.......................y.......................N.................\...... ....J ..... ....a!....;".....".....".....#....g$.....$.....$.....%.....&.....&....&'.....'.....(.....(.....).....).....*.....*.....+.....,....%-.....-.....-.........../...../....$0.....0....M1.....1.....1...._2.....2....M3....z3....g4....'5.....5.....5.....6....J7.....7.....7....x8....:9.....9.....9.....:....e;.....;.....<....H=....c>.....?....R?....S@....:A.....A.....A.....C.....D.....D.....D....mE....7F.....F.....F.....G.....H....HI

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\en-GB.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):447042
                                                                                                                                                                                  Entropy (8bit):5.522859001768912
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:hR4GWUMzWjLCI7MP9ej7HXfaYISMv5n51SKBcWRnpM:UEh7Ma7H6N51SOM
                                                                                                                                                                                  MD5:413E4484B8AA83BF7D928AF143340DD9
                                                                                                                                                                                  SHA1:92B8DC474FD507F28C51B34014FE9F867AF25531
                                                                                                                                                                                  SHA-256:AD460425C88BE889D6D6A9B69D0B6F64E2E957BF8AC4F230DE4D25340C75BA87
                                                                                                                                                                                  SHA-512:E8AB41CA706D8A49B4A411FB9F50BF1C04627DAB452A7AEC01A5C61E4951FDE42FC05163CBD193F034BFEE378849353DB9AD4B8A2DB3F992DF105DF17BB146E0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........%..e. ...h.(...i.6...j.B...k.Q...l.\...n.d...o.i...p.v...q.|...r.....s.....t.....v.....w.....y.....z.....|.....}...........................................$.....+.....,.....-.....2.....?.....N.....^.....o...........B.......................@.....q.................A.....}.................8.....g.....|.................7.....E.............................W.......................:.......................0.....}.......................S.....~.................".....N.....Y...........".....d.....x.............................V.............................9.....Z.....f.................@.....S.......................#.....l.......................-.....q.......................2.....[.....f.................\.....q.................!.....7.............................?.............................U.......................,.....G.....V.......................>.......................3.................N.....\.................S.....p.................>.....M.............................c.............

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\en-US.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):451080
                                                                                                                                                                                  Entropy (8bit):5.512024572152552
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:UVmES/piH64PrXGM0w3jMMP9eD3D9faYLbcNx54SbngP/eoQwB:Umz14XRlMMY3DzA54S+QwB
                                                                                                                                                                                  MD5:8F164155D22029535CD60F47966A89AF
                                                                                                                                                                                  SHA1:19733935EFE68F7FF3E2A84D28317E0391EB824B
                                                                                                                                                                                  SHA-256:20BE1732675FEDF380010B09936ED65C71BB761D0A05732215EF0795B5ABA606
                                                                                                                                                                                  SHA-512:4582715817BB9C99D875AA89B1EFBD0F70B63DCD37DBFC64E3078D1D4D7AD4AE8FAC5A703AFE1FC65B9AF2F5C0FE8D3E293E2F0530106A6974B38B4CEBCA9DB0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........%s.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.!...w.....y.4...z.C...|.I...}.[.....c.....h.....p.....x.......................................................................I.......................^.......................S.......................V.......................1.....v.......................9.....`.....m.................$.....;.................#.....;.............................k.......................9.......................#.............................M.....h.....w.............................[.............................m.......................I.....v.......................9.....D.............................L.......................&.......................!.....`.............................?.....T.............................s.......................Z.............................Z.......................9.....q.................Z.......................m.......................c.......................#.....E.....U...................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\es-419.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):543303
                                                                                                                                                                                  Entropy (8bit):5.374575506060356
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:BJoGuBgJYXqY+clpuYsKBoj5z6gLFdUu2bR:BJqGiqQpPU5z62F/oR
                                                                                                                                                                                  MD5:6E7EEE3C0D7935B4B72FB529227413D8
                                                                                                                                                                                  SHA1:64643BA51EDCA0C0387073716D68380DF5E2DC7C
                                                                                                                                                                                  SHA-256:06D13FFC791BB7189F5AFBB166B1DC2BCF9309F04B68E4F16BAACD4B3F625021
                                                                                                                                                                                  SHA-512:F55A55D9F23463A51F48BD16DEBCC6FCA28EEC4CEFBB3006083E741795EDD9A9EFB8D1126210F4A35558BC698C8A76A43E9E56093A90145137A7854B4A2E44F8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........]%..e.d...h.l...i.u...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.0.....8.....=.....E.....M.....U.....\.....c.....j.....k.....l.....n.............................N...........B.....]...........5.....z...........&.................!.................P.....k.................8.....K.................0.....A...........;.................:...................................:.....M...........".....`.....w...........c.................^...........6.....].................#.....>.......................&.......................4.................V.....i...........-.....k.....w...........#.....T....._.................8.....B.................P.....`...........S.................%.....z................./.....|.................m.................>.................6.......................%.......................4.................M.....g...........|.................. ..... ....F!....t!.....!....Z".....".....".....#....K#....n#.....#.....$....r$.....$.....$

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\es.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):543232
                                                                                                                                                                                  Entropy (8bit):5.350780003321714
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:DD8qint0wME1/o/7Ng0Hkp3+UNoqFtnjO5Jmr40nIw6PZgHu:D4vthMsy7EpPoqTnjO5IrbnjO
                                                                                                                                                                                  MD5:1EFB37FAA54DA5A7D9FE694FEE7D5E4E
                                                                                                                                                                                  SHA1:497F6E0FB9DC099DFD8E107570FEBE9D0A6EBC2D
                                                                                                                                                                                  SHA-256:77AA01763C114B75A83DE3C34C60497B1CA23C98523F58A43C76AAE7380AB3B6
                                                                                                                                                                                  SHA-512:FACC41943159DAD7541F5D50B8216F6CCF02703A983DD81120F387DDEA70D502F5D66C275F80267C7A3B1EB9F1C751A4EC3B307D03F872BE4237366637BB829A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........b%..e.n...h.v...i.~...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.!...|.'...}.9.....A.....F.....N.....V.....^.....e.....l.....s.....t.....u.....w.............................]...........U.....p...........R.................>.................H...........+.....g.................=.....l.....|...........>.....f.....w...........q.................e.................<.................W.....h...........8.....t.................}.................u...........9.....^.................F.....\.................0.....?.................8.....N.................M.....`.................I.....U.................3.....>....................... .........................................R.....l...........".....N.....k.................C.....b...........I.....n.................v.................[.......................O.......................e................. ...........4.................7 ..... .....!....+!.....!....."....O"....c".....".....#.....#....A#.....#.....$....R$

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\et.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):493540
                                                                                                                                                                                  Entropy (8bit):5.454116761923621
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:+pQdZQe2AH5hJ1HNR5yyX+DuH/Fb0WmFosS4Eqsoh7Pwiw5dQH57jnMlvCKMvaKL:+yZ92ejyyIuJmFoszwQH57jUW
                                                                                                                                                                                  MD5:78A8A4956B1CD09124B448985A839F28
                                                                                                                                                                                  SHA1:A25BCAB44ED12DD0DD643AA6782903B22B84816B
                                                                                                                                                                                  SHA-256:AC1431E61F8C6C56EF96860DC8A8DDF840DBF6965AF6B920D811B7E39ADAB6B1
                                                                                                                                                                                  SHA-512:843BAFCE3E528BA98A3FF537B01D7896F83C22C0AD2E43BBCE83381FAA943D74D7B11B419DAAC0B0F57DE30D5792E3262DEFE9C68F5F4C7CA84B173395D14798
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........n%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v. ...w.-...y.3...z.B...|.H...}.Z.....b.....g.....o.....w.......................................................................c...........Z.....u...........D.....t.................i...............................................}.......................l.......................k.........................................G.......................K.......................[...................................K.....b...........'.....I.....d.................0.....<.......................+.................3.....>.................?.....M.................7.....?.................2.....A.................4.....<...........$....._.....w...........%.....D.....Z.................<....._.................D.....Q.................M.....y.................6.....G.................3.....K.................O.....j...........e.................S.................>.................P.....].................. ....- ..... ..... ....)!

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\fa.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):808052
                                                                                                                                                                                  Entropy (8bit):5.022679220176124
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:Jap2Eq8u313uyqoT+s7q+NRmX1loT4RmdAQifaQ2XxFMJGk620driUHMX9O9xdpW:sUjJ5SV
                                                                                                                                                                                  MD5:6C6C939CBCE5A9AE6B6A89B9DC1B14CD
                                                                                                                                                                                  SHA1:8674B02FB2A11BA6664427C78401D261DCEC859C
                                                                                                                                                                                  SHA-256:D77AADACDB5B72345C68590ECE6463EFCDD4E8817FE3DEDAD98D64F132B8E48F
                                                                                                                                                                                  SHA-512:3CF8ECCAC20108550C2A7758531AE992D72AA23396ABDFD38E613ED26FC755FA33385B4538DCE9E19309B622973CA6D4C0FEEEDC7064DF9BB12419DFC630D545
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........%W.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.!...r.-...s.>...t.G...v.\...w.i...y.o...z.~...|.....}...............................................................................7.....^.....C.......................h.......................i.....).......................R.................k...........].....p...................................I.................r...........g...........%.................-...........l.......................O.......................|.......................#.....W.....{.............................Y.........../.....F...........~.................s...........S.....j...........v.................N.................@...........f.................f .....!....r!.....!.....".....".....".....".....#....4$....y$.....$....I%.....%....6&....V&.....'.....'.....'....A(.....(....7)....\)....w)....1*.....*....-+....O+.....+.....,.....,.....,.....-.........../...../....p0.....1....r1.....1....a2.....3....W3....z3.....3....|4.....4.....4....t5.....6....`6.....6

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\fi.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):504052
                                                                                                                                                                                  Entropy (8bit):5.421469618205756
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:/aVXt4D7SmA19ub5KuOar5yZ7kfCHEpyWaM7OYM:/64D7Smll5yFHZl
                                                                                                                                                                                  MD5:83DEC7D70140F96E780BCA0E97EB3DFA
                                                                                                                                                                                  SHA1:E0C9891241D88716419F476BB193ADA5D8606EB1
                                                                                                                                                                                  SHA-256:AE902AB57A1325D4F0A0A1C69790F28F5E49B5671A99C4C315367B4425D1DE97
                                                                                                                                                                                  SHA-512:7B1851C2476290DBDE7DCBEFBE75F89041EC185DC4354DB55FFE2DA588E17363403921EEAF9FD26EBA8EB4DE3BF99876339DE1DD4219EC6F5E2EA3679B90BE71
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........%f.e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.&...t./...v.D...w.Q...y.W...z.f...|.l...}.~...........................................................................................................h.....{...........A.....t.................d.........................................'.....}.......................N.....n.....~...........*.....P.....j...........M.......................[.......................].......................^.................&.......................O.......................).....u.......................I.....r.....~...........!.....K.....U.................4.....A.............................n.......................R.......................G.......................d.......................1.......................'.......................%......................./.....o.......................L.....v.................D.....}...................................k.......................{.......................V.............................u.......

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\fil.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):569703
                                                                                                                                                                                  Entropy (8bit):5.1919702904490395
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:aZdptKHeHQogDYIQy7DQEuH2V8L0dnGNLmG5IXmr1YARQqK:odM5kxEG5mmg
                                                                                                                                                                                  MD5:E499AF17FCE1F7F276B3BFB0E1B2F5B2
                                                                                                                                                                                  SHA1:E2BF18ACF2A9E357AA7A694B5C60F947FD8BB0C2
                                                                                                                                                                                  SHA-256:A30015021FB928BCF16F9409FB45FB89CA3D196BAFB3597DF3FE4A9E477A3FD9
                                                                                                                                                                                  SHA-512:A1F03B7A6EC3F4601052D4E1F2CA6C092D9E5FE41CE7DF89F7E7FBE1A1892DF73A9CB85058F3C24E1236ED013E2BDD017F7BEC3D6B6FF13CA61BF0849C73F472
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........%..e.L...h.T...i.j...j.v...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.%.....-.....2.....:.....B.....J.....Q.....X....._.....`.....a.....f.....s.......................W...........F.....d...........[.................]...........J.....q...........f.................$.......................1.......................t...........%.....T...........j.................Y.................-.................T.....n...........i.................b...........N.....p.........../.....Z.....w...........%.....M.....Z.................8.....G...........$....._.....u...........A.....w.................I.....{.................J.....{.................L.....~...................................^.......................X.......................H.......................q...........*.....a...........(.....R.....l...........J.....}...........& ..... ..... ..... .....!....1"....."....."....@#.....#.....$....@$.....$.... %....V%....n%.....%....&&....N&....d&.....&....Z'.....'

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\fr.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):587932
                                                                                                                                                                                  Entropy (8bit):5.385302506831163
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:3OjnZLqxMDpDgEL6QuaMVWXKz05FlZQmZyMYnYtzLl9ujzx4e5hxkJSW7v40wCJY:3Okm2VqN5Q7
                                                                                                                                                                                  MD5:606E583292DBEAE8A3742A700D09E1C2
                                                                                                                                                                                  SHA1:BF49B446173BA81EC3F926D69B87A81C5E233C4E
                                                                                                                                                                                  SHA-256:C22E274FBC4A033CB8A9A4E9A96F82487DC671EC0AD49B3257939D2A8A751442
                                                                                                                                                                                  SHA-512:47277EDBFB2DCE8724900C0A7B0231E34DEEE19B268F46C08D56ADECAD38D629D79466C26B701B6F43607F7DCDE55B1BBF6C3D73BDBD7E22096A0D14AD901621
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........F% .e.6...h.>...i.O...j.[...k.j...l.u...n.}...o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.........................'...../.....6.....=.....D.....E.....F.....H.....X.....f.....x...........,...........L.....n...........U.................=...........".....>.................m.................J.....v.................Z.................5...................................>.....b...........@.......................i...............................................#.......................d.......................^.......................d.......................|.................-.......................0.............................{.......................z.................A...........%.....<.................0.....N.......................$.................*.....F...........Q.................-.....|.................-.......................z...........,.....L...........J ..... ..... ....8!.....!.....!.....".....".....#....h#.....#.....#....0$....]$....q$.....$....]%.....%

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\gu.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1148544
                                                                                                                                                                                  Entropy (8bit):4.309990877698155
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:A4TQMBc+YPbBMDBW6bfrBDNOHIwjAwREJKVMjNiT7llj63rFXlPCpMi5eWWiMJsr:A4THSPbr6bvMa/+c5q4hNkFR
                                                                                                                                                                                  MD5:DBC465E12C921212C1A3E899E5FD5046
                                                                                                                                                                                  SHA1:F6F7081E622DF0FC9647DCE0572483899A59E440
                                                                                                                                                                                  SHA-256:7B06F3B7040901E7DBD2884BA534D43E73013CE0677BC725D53BCCD54759AD5E
                                                                                                                                                                                  SHA-512:9C3F3E7E7A62A0148789F561C37144F971ECC16C44A4F5A89214CBD7FADE0E1D2CCCD5C106C4718DF84A198262EF139A6530C400F5C0873231009E8B432BD3BC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........T%..e.R...h.Z...i.t...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}./.....7.....<.....D.....L.....T.....[.....b.....i.....j.....k.....p.............................V.....S.....$.....`.....S.....................................................U.......................;.................f...........P.....p.....S...........n.......................J...........b.....6...................................+.....(.....#...............................................(.....d...........D...........9.....a...... ..... ..... .....!.....!....."....."...."#.....#.....$.....$.....%.....%....q&.....&.....&.....'....7(.....(.....(....^).....*....i*.....*.....+.....,....P-.....-....?...........F/....o/...../....t0.....0.....0....u1....V2.....2.....3.....4.....4....h5.....5.....6....-7....p7.....7.....8....K9.....9.....9.....:.....;....'<....Z<.....=.....>....|?.....?.....@.....A....0B.....B....pC....<D.....D.....D.....E....gF.....F.....F.....H.....H.....I

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\he.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):708276
                                                                                                                                                                                  Entropy (8bit):4.622250398985609
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:N7wJFZb6J5hhT3BluYCy31frspm2GWqu/kol4JACVXbfeQCajLn5O67cE+oixB0X:ZUFZQjb5woB
                                                                                                                                                                                  MD5:0002D6ECC7F06D88DC714DEBF31C925A
                                                                                                                                                                                  SHA1:4C5DE1E0A8EF47B0D98BB3A9C5C1EE176F0DF3EF
                                                                                                                                                                                  SHA-256:D71C98ED9EF2AAF13033332DCD40F41785656C156D41614916353DAA3EA5F2A7
                                                                                                                                                                                  SHA-512:060C668B540813055F7537B64F8A9F4B393E3E1D31A6341C603644725EB8673E3249A07B7F519CCCDB65C4D2ABED2792580DF880CFB8B9B154D9DDADB3ADE027
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........4%2.e.....h.....i.+...j.7...k.F...l.Q...n.Y...o.^...p.k...q.q...r.}...s.....t.....v.....w.....y.....z.....|.....}................................................. .....!.....".....$.....;.....T.....m...........O.......................9............................._.................d...........3.....U...........J.........................................g.................?...........V.................f...........E.....d...........[.................C.................#.........................................(.....U...........?.....q...............................................<.....O...........E.........................................E.........................................A...........h.................Y.........................................4...........+.....{...........9 ..... ..... ....1!.....!.....!....."....3".....".....#....G#....`#.....$....u$.....$.....$.....%....u&.....&.....'.....'....>(.....(.....(....g).....)....4*....[*.....*....G+....w+.....+....P,.....,....=-

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\hi.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1211426
                                                                                                                                                                                  Entropy (8bit):4.285504136009603
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:EzCplnpUoc9rQtU2BxfwUV/BB0ZV1d+uxlRLiW3Jd1eTByntDPtDl+p1as4u/8W0:Ez/Xlexoev85P5+hgr
                                                                                                                                                                                  MD5:5FE0B17532CFC8523F97EE17DBA844A7
                                                                                                                                                                                  SHA1:6233FD3670BCB32C4EFEAEF7BDB41ADEE6EFD825
                                                                                                                                                                                  SHA-256:352F833B4F936369216EEAA1F8C5E652B34A36CC143FF9A872B0608E4E88957C
                                                                                                                                                                                  SHA-512:A37DB9DA6D9B5F913930712A57FED8EBE1654787B246445A40F59A91FCC67373367CADAB2DD70A89445514F2D6D806FA3DFD744461E2C15777FFAD30D3D0BF12
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........%L.e.....h.....i.....j.....k.....l.....n.%...o.*...p.7...q.=...r.I...s.Z...t.c...v.x...w.....y.....z.....|.....}...............................................................................7.....b...............................................'.....b.........................................F.....u.....H...........V...........>...........9.....\.....C...........F.............................D.................N.....w.....^...................................D.....v.................s.................9.................q....." ....u ..... ....3!.....!....."....&".....".....#...."$....S$.....%.....%....$&....C&.....&.....'.....'.....(.....(....b).....).....).....*....B+.....+.....+.....,.....-....L.....|.....8/...../....00....\0.....0....x1.....1.....1.....2.....3.....3.....3.....4.....5.....6....[6.....7.....7.....7.....8.....9.....9....{:.....:.....;....a<.....=....:=.....>.....?.....@.....@.....A.....B....KC.....C.....D.....E....>F.....F.....G....FH.....H.....H.....I.....J....DK

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\hr.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):548310
                                                                                                                                                                                  Entropy (8bit):5.5075408976258435
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:21tKv376P+UG5oi2IAD1OaBV08HSrk7D+wfWrDfB+uhAxqOSAq6+xMcwd0uP5qci:21tKvL6KrA5nEBwuBhbkBc5Pg7YIjemK
                                                                                                                                                                                  MD5:7BA9BF24F9965EF7FF2A9EEA86188EE0
                                                                                                                                                                                  SHA1:B9953144FB5E519A7A35AE595A29D15BBD34C0F1
                                                                                                                                                                                  SHA-256:F882072827C75A5C046E29CC4E2468A41CB786199045B58550E978272D338FE8
                                                                                                                                                                                  SHA-512:768213543C68CAF8CA941B1C7C87E5DDDAAFC4915457A849C83B4FECE528BB7BDA409B99930572DBC6A102FD7DBB29A593073B1D5B894708AB2B2019A938BE2B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........r%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.(...w.5...y.;...z.J...|.P...}.b.....j.....o.....w.............................................................................w...........e.................R.................#.......................q.................(.......................$.....y.......................x.................,...........).....}.................k.................+.......................M.................'...........@.................%.....v.......................P.....r.......................6.....F.................@.....U.................2.....A.................D.....Y.................,.....<.......................$................._.....z.................<.....Y.......................?.......................,.................Q.................-.....R.....h...........5.....g.................a.................Y...........4.....F.................l.................S ..... ..... ..... ....0!....N!....`!.....!....<"....z"

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\hu.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):590492
                                                                                                                                                                                  Entropy (8bit):5.641447107584658
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:OUyE1INoBuT80LvP9/Hs8DfcAujkatvV5RvBFZfpdVYGkb7ZNIeHK9njDi54Rryy:OUJSNI4/sA0V5RvBnuzzKY5y0n4
                                                                                                                                                                                  MD5:AB64CF95B5231922340ECEC09182DCB2
                                                                                                                                                                                  SHA1:9EDDEEF898E4A4C1EC6DB989587A75FC3E8A1E75
                                                                                                                                                                                  SHA-256:E806294A2D609A514DFA416A07625FB2F173018BB2E278323F752EFC459C39F8
                                                                                                                                                                                  SHA-512:BEC74EF13DB548FB9B225C6AFFF2841D5BD987D4EA129ADEDF6E5B852D004F89CDCF5FD4A6CCB1E4E5448EF38D488F258E3D5CC49C24775A34647CC0BB7102E5
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........1%5.e.....h.....i.%...j./...k.>...l.I...n.Q...o.V...p.c...q.i...r.u...s.....t.....v.....w.....y.....z.....|.....}........................................................................./.....E.....Z.....n.................=.....[...........R...............................................&.....\.....u...........O.....v.................].................C.................&...........M.................;.......................o...........+.....;...........>.................3.................>...........2.....^.....{...........S.....z.................j.................9.................,...........6.....y...................................Q.................4...........:.....|...................................q.................-.................$.....M.................S.....k...........g.................S.......................I ..... ..... ..... ....v!.....!....+"....L"....."....z#.....#.....#.....$....#%....p%.....%....;&.....&.....'.....'.....'.....'.....(....9(.....(....*)....u)

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\id.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):486837
                                                                                                                                                                                  Entropy (8bit):5.373459958164849
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:Xedqj3oEK2twd/yG1wF6f+eVnjHF3mmi8IxZ5wZhrwkK5cTSzo7IEji4JHF:2qj4MWFytFyVnjHFWmNIb5wZhlF
                                                                                                                                                                                  MD5:D736B044FA41A639E13A2BFF3972A182
                                                                                                                                                                                  SHA1:9CD13B7D8E1B11F13DBB1FBF7EB8A6263F27ED07
                                                                                                                                                                                  SHA-256:C8E30F0C11D78C7D603DF40BF6E9B2FE896EB36A8EEE27D9621A537545B2F609
                                                                                                                                                                                  SHA-512:DD1CF38ED3B3C93395A1AF45EC81D6B665112280B89AA5F2108DDDC6F2290F3BCA0DCC696D8DAC4967B4D58C248B2C425E6CF36CE5A93CA1F80D17B00EA2D4B5
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........K%..e.@...h.H...i.Y...j.e...k.t...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.............!.....).....1.....9.....@.....G.....N.....O.....P.....R.....`.....m.....}.................u.................*.....v.......................v.................7.......................:.............................\.....}.................S.......................^.......................J.....t.................).....V.....c...........).....d.....w...........R......................./.....J.....[.............................m.......................F.......................-.....~.......................V......................./.....\.....h.................H.....U.................?.....Q.............................T.......................,.....r.......................V.......................-.....G.....U.................5.....D.................<.....U...........M.................#.......................6.............................M.....l.....|...........;.....r.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\it.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):536254
                                                                                                                                                                                  Entropy (8bit):5.290910182310605
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:b+EGmPIUsd4x92/ii/jNLiISIqRRRsO1StORT9TjexKqcQxLcaPpzHi9fLwlSfpA:BPIxmjZxa8uN6sjoy5IkoW
                                                                                                                                                                                  MD5:52109B028A189C75C3889300B7EC728B
                                                                                                                                                                                  SHA1:AABD5CBBFFF52B6D89158B0D78CFD6FABDE706AF
                                                                                                                                                                                  SHA-256:89D7EC12AA52D5F2298D3FDDFA24439BD89031C4341F1D2B9900A2E46664F7D8
                                                                                                                                                                                  SHA-512:8766CC41EB7510F200E0F8E27A2678B3F50378AA6F1764B11DA79D120248B6ECCCFAE7A4863AE437AD66133BA0C1BB25F5242AC9DBCE87916382F18BBA1E2256
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........U%..e.T...h.\...i.m...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....f.....y.......................I...........7.....S.................Z.....k...........c.................s...........'.....P.............................o.......................r.................6...................................{.................9.......................V...................................g.................3....._.....}.................A.....O.............................|...............................................d.......................8.............................b.........................................F.............................J.....`.....v...........$.....P.....e...........A.................#.....f.......................<.....g.....z..........._.................g...........W.....n...........h................._............ ....- ....z ..... ..... ..... ....\!.....!.....!

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\ja.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):655212
                                                                                                                                                                                  Entropy (8bit):5.686448471913808
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:tPm/rHeA9VXH3Wv0WSGRpZXQ2y+BbX5znS1V7:o6UJHmccpZXQ2y+N5znC
                                                                                                                                                                                  MD5:5C8C92313284117F3C549DC53273AE8B
                                                                                                                                                                                  SHA1:697F746CFFBBCA1D43BBF29AC1619318BD3DC96D
                                                                                                                                                                                  SHA-256:4C34AAFD5794886A4D091C4F4A97642BB9F199B90203D904E14E503FC3EDB845
                                                                                                                                                                                  SHA-512:1C1232B6CDE8CBE2D827BEF0C0495165B4CC27494249BCB44B73D03404F3070AAF2CBD72F8425D24D197F14757553157858951280E524608AADA053EAE028DDC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........$..e.....h.....i.....j.....k.....l.....m.....o./...p.<...q.B...v.N...w.[...y.a...z.p...|.v...}.................................................................................................@.....a.............................v...........*.....B...........m.......................L.................a.........................................&...........".....Y.....~.............................e...................................$.....3.................K.....Z....................... ......................."...........#.....d.........................................4.................0...................................P.....b...........M................. .............................:.................:...................................!.....B.............................6.................4.................. ..... ..... ...."!....b!....}!.....!....R"....."....."....J#.....#....R$....g$.....$.....%.....%.....%.....&.....'....G'....h'.....'....V(.....(.....(....;).....).....*.....*

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\kn.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1316964
                                                                                                                                                                                  Entropy (8bit):4.222438704648711
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:g0bF+kiawFCJiDQ6f03QIBRFUc407L5PtzUk4pt+h9bu:g0bPinmJL5ZUV
                                                                                                                                                                                  MD5:17D2349C9191C0E9D70B03FF3E240B3C
                                                                                                                                                                                  SHA1:7B425B76CD479273CA092606DBE326A1301FA472
                                                                                                                                                                                  SHA-256:EB1BD5B8F89B9E9B568912455AD3B8A791F3370A34411E6FC982A661CC1B05AD
                                                                                                                                                                                  SHA-512:7EC6AD8B7CFC80782B8CA1702BE66B56FFB8AADB307CAFC5F6C4D365FD3FD273FFFF737E496A36F9162EFDCA5189B06A137753BA3A70418F490DEFA9884F2B96
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........x%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.4...w.A...y.G...z.V...|.\...}.n.....v.....{.......................................................................]...........(.....\.....]...................................t...........h.............................e.......................B...../...........y......................./.............................7.....=...................................a.............................. .....!.....".....#.....#.....$....0%....{%.....%....l&.....&....Q'....d'.....(.....(.....(.....).....).....*....5+....o+....C,.....,....x-.....-....O....../....r/...../....v0.....1.....1.....1.....2....T3.....3.....3.... 5.....6.....6.....7.....7.....8.....9....]9.....9.....:.....:.....:.....;...._<.....<.....=....F>.....?.....?....#@.....A.....A.....B....\B.....C....XD.....D....7E.....F....HG.....H....cH.....I....JK....HL....}L.....M.....N.....O....*P....bQ....GR.....R....:S.....T.....T.....U....VU.....V....rW.....X

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\ko.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):553673
                                                                                                                                                                                  Entropy (8bit):6.059297407958035
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:OokI3UKOV2Ngi7w2IyxxMSVG0GTZn8t8OQ4E3hkaYrLCqD5dEp7RqGT8U1wXq7hW:sFel5i8QzCr
                                                                                                                                                                                  MD5:714958C45E5EEBD32B6799FFD76159C0
                                                                                                                                                                                  SHA1:B38CA8FFBEE6FDAAA00DE9C77074F4F6BBFEFB8D
                                                                                                                                                                                  SHA-256:87F8003E7FE90A487C1007A626D30B8A77FEB54E627D3FE365DDB6A66A7E4AC4
                                                                                                                                                                                  SHA-512:E60E77022902BF13E747354BD1AE5E9C3F4E8E6642D52C0EABDBAFF7B829ADD3251851A02B65F941985D31C7D5EA02347023F33269336B8B476E2314924022BB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........w$..e.....h.....i.....j.....k.....l.....m.....o.....p.....q.....r.....s.....t.....y.'...z.6...|.<...}.N.....V.....[.....c.....n.....v.................................................................a.................9.................S.....f...........J.......................t.................+.......................0.......................?.......................P.......................i.......................].......................\...................................U.....l.................B.....Y.................$.....4.........................................1.....M.................E.....U.................P.....c.................O....._.................N.....^...........S.......................^.......................Y.......................d.................).......................N.............................l.......................`................./.......................q.................!.......................+.............................|.........................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\lt.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):594260
                                                                                                                                                                                  Entropy (8bit):5.634301538864236
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:55mDjVARjMAUbgXaG1DT/G5qzIx1JgNR86SNM:+9IMQqOG5LxngNRX
                                                                                                                                                                                  MD5:1051DEEA3EB2BC73A1CBEF894635541D
                                                                                                                                                                                  SHA1:A122975C2C3366FC4D87AB4C6C3C6D65FF6AA4A9
                                                                                                                                                                                  SHA-256:95253DEAE9554317C60490A982A4D310C87238096E3BAD0329E8BF4C944CBAED
                                                                                                                                                                                  SHA-512:2DBB1DA602FE9966C03DEBB03C1B793574968D68C5386FBBB7E56E97D6626DBE4991ECA6B9C470BF778A327E3DB29530977D25BA40E5704501696DC8AF8D0302
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........Z%..e.^...h.f...i.w...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|. ...}.2.....:.....?.....G.....O.....W.....^.....e.....l.....m.....n.....p.....~.......................F...........4.....O...........e................._...........9.....S...........J.........................................S.................&........... .....T.....y.............................d.................%.................M.....]...........u.................f...........D.....b...........D.....k.................i.........................................W.................(.................V.....e...........c................./.......................e.................!...........T.................8...................................C.....k...........].................=.................-............ ....& ....9 ..... ....`!.....!.....!....S".....".....#....>#.....#.....$.....$.....$....v%.....%....8&....X&.....&.....'.....'.....'....:(.....(.....(.....(....Z).....)....**

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\lv.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):593573
                                                                                                                                                                                  Entropy (8bit):5.6301516471633715
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:fZBZxz1/4i+sRe28W/raTmNstVFph6T97vcGj/kbO15UyYTbEwTe757esFOHAYX0:hNylsRpWXQT9PrV15cEwTY5tONA19
                                                                                                                                                                                  MD5:0308AEC65AD35B2282571098DDDBA5AE
                                                                                                                                                                                  SHA1:5DD9A983BE7C29405575C658E73633F678FE4469
                                                                                                                                                                                  SHA-256:54541C9ADEE8711C3D391B67B2081214166621212A670B0F2D633D1E2623A757
                                                                                                                                                                                  SHA-512:967D4B19F8455B3D5633E6B9ADA3904B7974414990E705590FA2D2D0B2E721789165D4A2877C56287BCDEC27205C3D47D1F7CDFE912D4A27023E3AA087626ABF
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.&...t./...v.D...w.Q...y.W...z.f...|.l...}.~.....................................................................................................p.................]...........(.....;...........p.................\...........-.....L...........+.....g.....r...........g.................#.............................9.........................................m...........3.....F...........j.................X...........N.....o...........:.....`.....v...........C.....l.....~...........Q.....x...................................]................. .................E.....T...........=.....p.................y.................V...........I.....a...........$.....?.....T...........S.......................y.................>.................H............ ....5 ....N ..... ....R!.....!.....!.....".....".....".....".....#....P$.....$.....$....N%.....%.....&..../&.....&....*'....d'....t'.....'....F(....a(.....(.....).....).....)

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\ml.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1369647
                                                                                                                                                                                  Entropy (8bit):4.256761759711836
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:oQyj0aIA2cMmsbbAU4LJxFq/ixn9mMl6UQ6KfUBp/OZCBEmeyo3ewhp5A47uhs4s:oQygaIiMGKfUBp+yo3eo5A47ks4+3X
                                                                                                                                                                                  MD5:83069898AFA7CB0A288CF8D17505536F
                                                                                                                                                                                  SHA1:2EC0F1F3CCDE4F88BBDF37EB1BF8FEDA82B12AB1
                                                                                                                                                                                  SHA-256:957B57BAC9D8A927BE5CFBB74D23DCF69CF2678ECD4FCF2158A391F7A02FEA87
                                                                                                                                                                                  SHA-512:E6F549C732F0BD0938B140978C49B2AA097876970ADFD7B87CA593ED54C3456C041FAC28883CFF7DA61C7EE3952A6C7EF2C4FAEDBFE6A23522FF6FFB083C24BB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........t%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.,...w.9...y.?...z.N...|.T...}.f.....n.....s.....{...........................................................$.....d.................Z.....C.......................W...........%.....r.....a.......................}.................n...........................................................I.................m.......................l.......................5.....y.................. ..... ....^".....#.....$.....$.....%....j&.....&.....&.....'....|(.....(.....).....).....*.....*....*+.....,.....,....V-.....-....n....../...../...../.....0....n1.....1.....2.....3.....3....W4.....4....c5....+6.....6.....6.....7.....9.....9.....:.....:.....;....!<....Y<.....=.....=.....>....T>....0?.....?.....@.....@.....B.....B.....C.....D.....D.....E.....F....ZF....|G....sH.....I....TI.....J....UK.....L....SL.....M.....N....yO.....O.....P.....Q.....R.....R....-T....(U.....U.....V.....W.....W....eX.....X.....Y.....Z.....[

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\mr.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1125467
                                                                                                                                                                                  Entropy (8bit):4.28845834623339
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:JASH222GPf+r97QyNiMJ0voJZVLF2wnVPbtwpFFyGRU3RxYR3lDdjE9xOUq/1A3Q:rYo+rdQyh0oaSpgKZmbzAyCLj5cpAK9T
                                                                                                                                                                                  MD5:E45351AD81BE0444C2731E0FE2457BFD
                                                                                                                                                                                  SHA1:23CAACD7F2354CB3C1A72CC89799DAAE3089EDE3
                                                                                                                                                                                  SHA-256:BF42C87554153B83E53ED8B839A74A50E893ABDA190D7DDD73521CC6D121DFA7
                                                                                                                                                                                  SHA-512:B93E70B09EB536A2AB58A064B05AA13D6B0EED08EE1681AB9C59374D119A8BF3CCC2793FE005D0C51734AFE25794C9BBD759EF7085A4B9FA6C3DD5E29D0F39B3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........*%<.e.....h.....i. ...j.,...k.;...l.F...n.N...o.S...p.`...q.f...r.r...s.....t.....v.....w.....y.....z.....|.....}.........................................................................>.....`.................#.....[...........U.................H.............................8.....>.....;...................................$.................$.....D.....N.....,.................f...........m.......................~.......................a...................................P .....!....]".....".....#....g$.....$.....%.....%.....&.....&.....&.....'....H(.....(.....(.....)....~*.....*....&+.....,.....,....M-....y-....@....../....a/...../....D0.....1....]1....}1....P2.....3....w3.....3.....4.....6.....6.....7.....7.....8.....8.....8.....9....4:....j:.....:....X;.....<.....<.....<.....=.....>.....?.....?.....@.....A.....A....CB....sC....lD.....D....>E.....F....MG.....H....3H.....I.....J.....K.....K....KM....UN.....N....cO....lP....JQ.....Q.....Q.....R.....S.....S.....T....3U....'V.....V

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\ms.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):510468
                                                                                                                                                                                  Entropy (8bit):5.247079358159538
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:v8fC43K+W84G7nWiBx7+2YRldjiMIUcGm95bbHxOM9LLEWVHc:0V3KE4CnPx7AldPc9530Me
                                                                                                                                                                                  MD5:EE31ADEDC69D7926395E4740E724245D
                                                                                                                                                                                  SHA1:4403D976C2C559747E15B219E76342ED3B41E5CE
                                                                                                                                                                                  SHA-256:280AE72F9FB328D6B9E0BAA5C27157E7E5BF0EBF699EBEAC597DA0ED4F670776
                                                                                                                                                                                  SHA-512:69426971040E9C8C5F9645A9E8ECE83E166575C23D9B1C5DB3F5A22488E5F7988127799FFF4CBC7445D8407E5F0761A666713C433030ACCCA4C991DD323F3181
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.%...t.....v.C...w.P...y.V...z.e...|.k...}.}...........................................................................................................s.................N.......................p.................7.......................Q.......................G.......................I.......................o...........(.....@.............................m.......................[.......................x...........E.....W.............................a.......................3...............................................&.....................................................m.......................`.........................................0.............................b.......................?.....h.....y...........(.....]....................... .....,.......................-.................;.....T...........K.......................|.................5.............................Y.....{.................9.....f.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\nb.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):495339
                                                                                                                                                                                  Entropy (8bit):5.423906423434989
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:GsKfvlCYYJ+8hz2bdXw5Op7fW9SighmrlDhP5RV5iM43CuMhVCD9vt:KVCj0bxw5Op7fW9S8lNxRV5iM43JF9vt
                                                                                                                                                                                  MD5:03F4AB4F1D042E41B37438AD38DDC794
                                                                                                                                                                                  SHA1:D465F7B3B05AC289F7C96FB9CF6603C30AF81466
                                                                                                                                                                                  SHA-256:1A35A4E5348CA851ADEC4EA1C666D56750D39174A35D74AB87CD061ABE063BF3
                                                                                                                                                                                  SHA-512:D0007B98BA9D9F2BC102A516CDE49B3982DB4698A1BD31E22104F5F634072943C98C7CD53E8CB02E320FD3A1455F8AE42DD99679A527C64723BD3BBC37743C23
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........^%..e.f...h.n...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.(...|.....}.@.....H.....M.....U.....].....e.....l.....s.....z.....{.....|.....~.............................Z...........M.....b...........+.....d.....w.............................W.......................X.......................F.......................G.......................s.................;...........H.................".......................^...........#.....=...........].......................h.......................=.....b.....r........... .....E.....U.................T.....h...........(.....V.....f.................`.....p...........#.....L.....\.................H.....V...........@.......................N.....t.................2.....Q.....j.................9.....K...........8.....w.................b.......................n.................$.....u.................2...................................E.....n...........6 ....b ....u ..... .....!.....!....<!.....!....."....5"

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\nl.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):511257
                                                                                                                                                                                  Entropy (8bit):5.365372926149592
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:syWoBilbWusvbgQ5Max5btohx4Gp7KYjOTy:syWIilbWusB5Max5behx4Gp7KYC2
                                                                                                                                                                                  MD5:834219D952A58BDB01B40CCE5269D449
                                                                                                                                                                                  SHA1:C325FDD7E21E993B745233086C9DF4376901E2B4
                                                                                                                                                                                  SHA-256:9B46EEC8A0B0B568DDC35387CA02C2116BAA7520EFB04D92325FEC17D5091353
                                                                                                                                                                                  SHA-512:9C28177D8530B24FEDCCDD7B4562A87CDF08567410D82FFC3E5A874474695A18EB533E7D55E4A901B77C873A22BEFF570B5C5CD79B47947B5BF3AF2C38B9D486
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........M%..e.D...h.L...i.]...j.i...k.x...l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}....... .....%.....-.....5.....=.....D.....K.....R.....S.....T.....V.....b.....r.................#.......................r.................".................N.....d...........1.....g.....~...........).....R.....a.................5.....C.................R.....s...........K.......................`.......................o.................-.......................v...........5.....N.......................%.....s.......................G.......................6.......................8.............................p.......................O.....{.................D.....x.................c.......................r.......................X.....y.................F.....n.................R.......................W.....u.................M.......................b.................H................./................._.................O.......................8.....\.....l............ ....\

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\pl.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):571219
                                                                                                                                                                                  Entropy (8bit):5.764870780434209
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:HlRzWoOB/k0wvZfQfR6HA5bFVP3CUdCe3mhUrMAmW1Qh4Mh59M14scly:HlR9glMe1Qhz53Q
                                                                                                                                                                                  MD5:75E71F0C6E72AC4F9DAD168BA307D2B0
                                                                                                                                                                                  SHA1:41129512809F2AFAE64B04FB1EFA81D9C22B8389
                                                                                                                                                                                  SHA-256:C8F76EF189D14A0C75407DC40348CD9171F5997A94A4961D86152CEA2258ECF6
                                                                                                                                                                                  SHA-512:EBB279F36D612CB1D94E9333140CACFC9E7946A646CF28CD75F55AB20680B4ED5645AC9887FA528A07F8BB03FE942D8E104D63AF1B11CB9F79826F34E53DBEF6
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........a%..e.l...h.t...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.&...|.,...}.>.....F.....K.....S.....[.....c.....j.....q.....x.....y.....z.....|.............................b...........].....y...........G.................&.......................s.................(.................................................................;.....a...........W.................4.......................J.......................v...........:.....V...........g.................C.............................O.....r.......................6.....D.................F.....Z.................H.....Z.................@.....P.................'.....7.................'.....8...........".....o.................!.....>.....U.......................E.................5.....J.................k.................5.....S.....j.................C....._...........<.....................................................1.....\............ ....C ....T ..... ..... .....!.....!.....!.....!....("

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\pt-BR.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):537107
                                                                                                                                                                                  Entropy (8bit):5.4226739022427255
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:cneZxthZ8l/gooNBXBLZWkoyVH553JBi90sRaY5Cs:rxOl/go+5NJ9sR15x
                                                                                                                                                                                  MD5:F8BCB6FD83B0425ABB9B214535025140
                                                                                                                                                                                  SHA1:51E72F9B419393674E8CC9AC3ABABD6FCDEFA251
                                                                                                                                                                                  SHA-256:3EF0114EAF2268262CD594BFE33B56B24FB416D23D6FD125A9AE022D8ECEAA99
                                                                                                                                                                                  SHA-512:A5DC5E3EAD99820D3EE9B83CF58670923EDB8B538DAE84FFC6B1AEA9869FEC58F0A5E8AD8BA5A792736D1A593B4B6664D734BE3EF524FC2B036B268FE108B5A2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........c%..e.p...h.x...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.,...|.2...}.D.....L.....Q.....Y.....a.....i.....p.....w.....~...............................................l...........T.....p...........7.....p.....................................................0.............................f...................................B.....r...........g.................B.......................g...................................S.....l...........x.................=.............................y.......................v.........................................!.....x.......................W.......................1....._.....i...........&.....^.....o...........j.................(.....r.......................C.....i.................E.....]...........V.................:....._.....x.................E.....X...........(.....s...............................................G.....r...........$ ....L ...._ ..... ..... ...."!....7!.....!....."....L"....l"....."

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\pt-PT.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):539844
                                                                                                                                                                                  Entropy (8bit):5.396781215354528
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:rtptZSTJLUHxk7jZieJVJJxhHLshYfVh85FKybSRLi:rtpmtAkt85FKsSRW
                                                                                                                                                                                  MD5:90964C1734B1C36442DD69EDBD85882C
                                                                                                                                                                                  SHA1:BA1FF66B255FE432278BC44860C6C4B3DA975296
                                                                                                                                                                                  SHA-256:B9439000C1C75565C2F223612079A51971AC54A3786D5B631F20436447929465
                                                                                                                                                                                  SHA-512:5A6AFC90FF5A3A65E9E2F4347635A82CCBFCC9D1F5D6B206828650AA49A2DCC59D3C8833CBFB9FC7CE8F347A28D718567E1CC300758A2EA5126C67E0967AEDC8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........~%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s."...t.+...v.@...w.M...y.S...z.b...|.h...}.z...........................................................................................................x.................^.................G...........'.....B...........-.....q.................8.....b.....r.................F.....X...........F.................,.......................f.................*.................).....9.................W.....l...........b.................7.......................".....|.........................................*.......................2.............................s.......................L.....y.................:.....n.................].......................m.......................2.....L.....]...........!.....N.....h...........A.......................W.......................A.....w.................M.................;...................................e............ ....l ..... ..... .....!....`!.....!.....!....."....h"....."

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\ro.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):559523
                                                                                                                                                                                  Entropy (8bit):5.4511750881399434
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:JF04spOl5qs9TjmXHjvyJeyFodxOINkjK0yGZq5zZyo2ts2H/ktO3:JS4sAKQmXHuJRFozO/u0zq5zAoY/b3
                                                                                                                                                                                  MD5:3DFCF8B66CE93A258D1631685A137E20
                                                                                                                                                                                  SHA1:4B10119ACB26C44EDFF2028D27E960B93C0BD812
                                                                                                                                                                                  SHA-256:5E5D1CDE0FCEB570C20E7485B32F0EF7AD59569B93574FCBBC7AEAD4906E7D14
                                                                                                                                                                                  SHA-512:17FE50ECD7D44EE5D652B4240CC3B01CF796F9EC11C5FDFE5AF9DE63999F10D2A50842FDF95FA2DBB4982139C34A9DFB11C8BC2261180862652A92F1497692C4
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........]%..e.d...h.l...i.}...j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.$...}.6.....>.....C.....K.....S.....[.....b.....i.....p.....q.....r.....t.............................A.................9.................3.....G...........N.................?......................._.......................B.......................Q...................................L.....p...........N.......................r.................-.......................~...........N.....|.................9.....V.......................%.....v.......................[.......................X.......................E.............................k.......................S.........................................M.............................e.......................j.................7.................".....t.......................e................................... .....5...........2.................'.......................t............ ....$ ....x ..... ..... ..... ....z!.....!....9"

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\ru.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):919180
                                                                                                                                                                                  Entropy (8bit):4.8229638553919765
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:vzmSGKfQjRo4YS5KCx/K6NzJ9ZF/Aalla4qSGsN9z/0TYH8eXN2hVO3j/tSbzvMv:vYXxm506tU
                                                                                                                                                                                  MD5:DE3B5FAF5D64B16867BE213591E545B9
                                                                                                                                                                                  SHA1:5B8BDAF38278604B5031E1C944349A31FDD281B4
                                                                                                                                                                                  SHA-256:07DBEEE5A0B9C6C978D1C593DB5DD6152003FA12170A8189BDDE77908D826DCF
                                                                                                                                                                                  SHA-512:5808A46DD05302338EF63B1F1815828840218324A6FBB1AE6B19F62D803795BA13F7AB7AEE1E39137F61F99651AC80166781CDB1F295FBBFDBB218C5A293967F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........$..e.....h.$...i.5...j.A...k.P...l.[...n.c...o.h...p.u...q.{...r.....s.....t.....v.....w.....y.....z.....|.....}...........................................#.....*.....+.....,...........K.....h.................h.....(.................y...........{...........~.....;.................y...........>.....x.....'.........../.....R.................H....._.......................A.....4...........~...........q...........V...........2.................8.......................G.....K.....E.......................'.....T...................................V...................................O.....t.........................................W.....n...........k.................9........................ ..... ....V!.....!....."....|"....."....."....K#.....#.....#.....#....s$.....%....{%.....%.....&....%'.....'.....'....s(.....(.....(.....).....)....>*....~*.....*....|+.....+....d,.....,....a-......................./.....0.....1....c1.....2.....2.....2.....2....o3.....3.....4....64.....5.....5....+6

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\sk.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):577498
                                                                                                                                                                                  Entropy (8bit):5.8098091220164525
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:rSkwf/qsOkNEpiIip+RC5zwbLfrQzLPxt9eI:3wf/qsgpiCC5OLkBtEI
                                                                                                                                                                                  MD5:421D713180D716A060629C334630ED80
                                                                                                                                                                                  SHA1:FD2D0A0A6D7A27C40A725C1757299AFE6D3A12FB
                                                                                                                                                                                  SHA-256:BE66B2442B5B4A6DC28A14545E2C4A0BC7F9E6547A89F974D7B8A63525C1855F
                                                                                                                                                                                  SHA-512:A6C8F62DFE81008A888FAB89BCCDCA8242650771BC2B07CB6B51B77DDA2C8EB9F2681D6260CA584ED2BDBC1EB6A60B78C8E07445FAA4E15D2B30134989263EB0
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........_%..e.h...h.p...i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.'...|.-...}.?.....G.....L.....T.....\.....d.....k.....r.....y.....z.....{.....}.............................p...............................................c...........7.....Q...........".....[.....r...........A.....p.................<.....e.....y...........R.................G.................6...........-.....h.................d.................7.............................-.....~.................O.....o.................E.....k.....}...........>.....e.....w...........W.........................................*.......................;.......................Z.............................5.......................8.....S.....g.................8.....M.................O....._...........\.................1.......................5.......................U.............................W ..... ..... ....R!.....!.....!.....".....".....".....#..../#.....#.....#.....$.....$.....$.....%....M%

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\sl.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):554338
                                                                                                                                                                                  Entropy (8bit):5.479799007655059
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:v/ym7W5Op5rB2I+EbME5G8coJHvbxi/fz4Cqc:Xym7Wop5T3ME5G8cii/fz44
                                                                                                                                                                                  MD5:C2C99E4B36E16403DED88CFF651671C7
                                                                                                                                                                                  SHA1:F3257F4B444CD2E33451A76BD55F81372F622681
                                                                                                                                                                                  SHA-256:8095CE45373D8DE8DD243FEC034643060CBFF67A48FA81414E31A0B9327EEFC4
                                                                                                                                                                                  SHA-512:D8C76B7C9C3B6A1CF5C72ABED0B53E2552EE28D1575CBE3B680904281F07EC797D37A4D60590490984C6C0DCB33D3C688869DEE9C51920D4B41862D1E5FD7DC2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........K%..e.@...h.H...i.Y...j.c...k.r...l.}...n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...................'...../.....7.....>.....E.....L.....M.....N.....P.....b.....p.................%................. .................'.....8...........D.......................z.......................y.......................l.................!.......................a.................-.................E.....[.........../.....f.....z...........t.................e...........6.....\.................".....:.................................................................6.....J.................D.....U...........;.....|.................M.....{.................Q.......................m.................$.....y.......................^.....|.................Y.................*.......................[.......................T.......................t.................&...........p.......................0 ..... ..... ..../!.....!.....!.....!....+"....|".....".....".....#.....#.....#

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\sr.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):853696
                                                                                                                                                                                  Entropy (8bit):4.754963351356009
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:QhjTzIuup7+q2YZAYI8glSDdrLuzQhrUPb7FW5YrT0xs7xH4rL37SjeYM/k/p:0jvwvwlW5nxoP
                                                                                                                                                                                  MD5:D0045EF8D5EA1347F09983410EFFF00C
                                                                                                                                                                                  SHA1:4C88AEC2A3D54E44E0D05281201B06917FAF17AD
                                                                                                                                                                                  SHA-256:A50C82C0DB17E2AA4A62068CA2B210FD9847D32BF2134D6D5AF1FC4B7050091A
                                                                                                                                                                                  SHA-512:1694CBD28BD29E5F394E3F6CEC01F9EFBB9DA8358F59FF80F550D4059ABDB02E02D4D4DA007E0646FA5CFC812FF8F94FE0A747BDF8B6F8449F02D28D83D536D5
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........j%..e.~...h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.%...y.+...z.:...|.@...}.R.....Z....._.....g.....o.....w.....~.....................................................7.....$...........e...........]...........j.................S...................................A...........p.................o...........,.....C.......................?.....?.............................%.................n...........g...........r.....).............................a...............................................6.....Y...........V.................q...........r...........A.................7...........P ..... ..... ....R!.....!....."....6"....."....e#.....#.....#.....$....S%.....%.....%.....&.....&....5'....]'.....'....l(.....(.....(.....).....*....k*.....*....X+.....+....K,.....,....>-.....-.....-................^/...../...../.....0....?1.....1.....1.....2.....3....C4....a4....O5.....5....h6.....6....l7.....7....K8....l8.....8....g9.....9.....9.....:....5;.....;

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\sv.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):498248
                                                                                                                                                                                  Entropy (8bit):5.542683564471982
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:g3MKUcRe61TO/AYcNUAvSCZxemvZl1BI4RFcz9RyoxGOGW3IiRMaSOmDE/xWcqdk:g3/LCAYcGC1l5+5dzB
                                                                                                                                                                                  MD5:02AD118E6E093D71E32291958F5A44FA
                                                                                                                                                                                  SHA1:111974CF0FBC304B1395A6D68FF3A79A25B72B76
                                                                                                                                                                                  SHA-256:A615C0756155436781F8E8543D4B4163B7D96CBDF58BA86DDCE8B39C5B7A17C8
                                                                                                                                                                                  SHA-512:717A438BBEE8D21011C1DA203B5126EF4AC330CD94013A93EEBA518E5E33772A8667A84C368B1A9B2D1E151D8A81E53CD0C5C59C58A578BD4AA1345115C4A49B
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........)%=.e.....h.....i.....j.!...k.0...l.;...n.C...o.H...p.U...q.[...r.g...s.x...t.....v.....w.....y.....z.....|.....}...............................................................................1.....E.....Y...........^.................%.......................a.................G.................P.....l...........".....Q.....a...........!.....R.....b...........F.........................................K.......................U...................................[.....q.............................j.......................F.......................#.....{.........................................$.............................v.......................f.......................d.......................x................. .....s.......................I.....g.......................;.....M...........%.....b.................F.....e.....{...........7....._.....t...........-.....h.....~.............................m.................;.................7.....J.................. ..... ....l ..... .....

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\sw.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):524797
                                                                                                                                                                                  Entropy (8bit):5.339786582850613
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Za8pzL2fuucrB5G7CCRdCAUQbQW4243EaeFNUq89F1ggt45rUAcw06yJMkJPe/Bb:HkJ5IY
                                                                                                                                                                                  MD5:AD41974EFF2483E260B558AC010879DC
                                                                                                                                                                                  SHA1:BE8B566A4CE4A529F8EB0352ABC7A2023A9B5355
                                                                                                                                                                                  SHA-256:ECC84D9A40448772697C14F27B1297FCDCE12DF30D008A7D4149A6AA587D85A8
                                                                                                                                                                                  SHA-512:2B731DAAD19CA5E43D29106C1EC06B8BA6B54EF44571FD51C2CF65DA4C9BA1941D78808D03F2056A839E2E76844E979B775AFC7B470640101328B572D10E0C4E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........X%..e.Z...h.b...i.m...j.y...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.(.....0.....5.....=.....E.....M.....T.....[.....b.....c.....d.....i.....{.......................;................. .......................@...........3.......................L.......................=.....h.....w...........".....Q....._...........,.....`...................................[.......................i.......................j.............................&.......................F.....n.......................:.....C.........................................=.....K.................0.....B.................C.....N.................%.....2.................%.......................X.....q...........$.....P.....l................._.................@.....|.................h.................>.............................f.................'.....|.................f...........;.....O...........1.....t...................................L ..... ..... ..... ....n!.....!....!"

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\ta.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1358123
                                                                                                                                                                                  Entropy (8bit):4.034318859603253
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:obtBkiv2nWiuF5uzGtR6cA25tm1vYpiMyj:afdenWzF5uz/cA25tm1vYpiMyj
                                                                                                                                                                                  MD5:2F628ABBFE91A7738CD47142E42A4CCB
                                                                                                                                                                                  SHA1:9FB966C32D237E3ADDBED97478CB84697BCF1FE3
                                                                                                                                                                                  SHA-256:3C8DCE29BCF2B60BCC273229AFCA64EB07A73C729D0D20E35455CC5D933E9A69
                                                                                                                                                                                  SHA-512:9A1F0A40E8FF8E68DD08DBEA55DCFF45E7BBE76DE45520323832A9004698E6AB30D53ECA58EFE6DB08621F940A80C3AE441E038BCEFA4206CAFAF664E6CC0BFB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........@%&.e.*...h.2...i.C...j.O...k.^...l.i...n.q...o.v...p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}...............................#.....*.....1.....8.....9.....:.....?.....m.................<...........7...........&.....x...........b...........*...........\.................'.............................Q...........l.....N.........................................o...........w...................................=.....e...........9...... .....!.....".....#.....$.....%.....&.....'.....(.....(....:).....)....o*....K+.....+.....+.....,.....-..........;.....f/....p0.....1....N1....E2....63.....3.....3.....4.....5....56....c6....\7....L8.....8.....8.....9.....:....\;.....;.....<....<>.....?....\?....W@....?A.....A.....A.....B.....C.....C....HD.....E.....F.....F.....G....GH....UI.....I....]J....5K.....K....KL.....L.....M.....N....]O.....O....-Q....@R....!S....rS....^U....HW.....X.....X....FZ....S[.....\....}\.....]....._....._....)`....-a.....b.....b.....b.....d....;e.....e

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\te.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1255925
                                                                                                                                                                                  Entropy (8bit):4.288346104977189
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:sHU9G7McKNBJhot56d4e/gb0HrWs05Bk3p1FZNViFlV2wtg+NFqIrOlHXAAFwQVV:s0X1u5EM2X
                                                                                                                                                                                  MD5:44C01878B175E976E75CE036E4D7A495
                                                                                                                                                                                  SHA1:91ECD7611C7C25F8615F234537819BE42799B288
                                                                                                                                                                                  SHA-256:7F28D607ED94E339B677CD5556202FB60F7E801E74AF16397EF610C7302F6957
                                                                                                                                                                                  SHA-512:3AFBFB3D6A95F1D61FE6A409729C768F1E4F0B3B4C1B6E35AF806F0AABCB6FF516CC70E9A112C2C6CEDE88C2778BFAE08A3E6AFFD05C9D5BC8A5DD4A4EC9BDD3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........r%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.....r.....s.....t.....v.1...w.>...y.D...z.S...|.Y...}.k.....s.....x.......................................................................T...........F...........x...................................{...........b.........................................z.............................U.................}...........=.......................*.....`.....T...........+.....g.....^...........1............ .....!....."....|#.....$.....%....#&.....'.....'.....(....H(....q)....6*.....*.....*.....+.....,....&-....g-.........../....20.....0.....1.....2.....3....[3....{4....L5.....5.....6....#7.....7....i8.....8.....9.....:.....;....b;.....<.....=....N>.....>.....?....C@.....@.....@.....A....EB.....B.....B....wC....,D.....D....%E.....F.....G.....H.....H.....I....^J.....J.....K....FL....$M.....M.....M....@O.....O.....P.....P.....R....<T....mU.....U....0W....AX.....X....lY.....Z.....[....;\.....\.....]....Z^.....^....._....\`....Wa.....b

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\th.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1055231
                                                                                                                                                                                  Entropy (8bit):4.333705516374822
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:78XSN9LyZYArTJz1L/L1XPhHsbhRy1cW+v1H5UJEyL3ftj8wlz9eTRo94G+K9uLO:78XBS5j5k
                                                                                                                                                                                  MD5:8470D57577F417DA93D40889CBE9F4BF
                                                                                                                                                                                  SHA1:6B497939F2B196A1B84E06D8AC2449B554C14A60
                                                                                                                                                                                  SHA-256:F5118CA292C570E69972FF8A7A81940A98DBF4519532CEFF133488A329825F78
                                                                                                                                                                                  SHA-512:EFA31D2C3DC584AAA4120C931749FF1CC0F21D263530DD6BD2D9F66BEC74159998CBF679A78B8D231FAB5DA1F0CB48A9D9DFACD0E0E85336B234B87B2457BFF3
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........$..e.....h.....i.....j.....k.....l.....o.....p.....q.....r.....s.(...t.1...v.F...w.S...y.Y...z.h...|.n...}...........................................................................................s.......................V...........]...........^.................k...........A.....z.....U...........H...........j.................s...........<.....U.....x.....3.............................$.....u.....C...........n...........]...........j...........e...........~.........................................=.......................H.......................2.......................: ..... ..... .....!....Z".....".....".....#....k$.....$.....%.....%....P&.....&.....&.....'....K(.....(.....(.....*.....*.....+.....+.....,....(-....t-.....-....b...........-/....d/.....0....r0.....0.....1....92.....2....x3.....3.....4.....5....@5....p5....E6.....6.....7....d7....c8.....8....g9.....9.....:.....;....6<....W<.....=.....>....[?.....?.....@....fA.....A.....B.....B....^C.....C.....C.....D.....E....<F

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\tr.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):535874
                                                                                                                                                                                  Entropy (8bit):5.6117453642537285
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:KErTapWZp08qQdrdwZiRDhzXkKxv8CXHXki4wge75MW/2+qi1nEedGAMYw/KFT6Q:KECph8qeoi7zBkiN5MW/B
                                                                                                                                                                                  MD5:04D37B8E9DB287042E86D0623063F9CA
                                                                                                                                                                                  SHA1:C6C3C32350737EFBC938F59A12D1D4A1C2ACA736
                                                                                                                                                                                  SHA-256:0FD794B314D12652CA5C1986795A00BD0116B44A3163D2EA0B26560E3AD23EEE
                                                                                                                                                                                  SHA-512:38756868FDD0045AA3E10D26E89F923759AFF7FB4C984CAE2FC46091D737E6C9B5EDD924948671ABE4B9991E150DCB0068143618911595F021332A5DBA7AD912
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........%..e.....h.....i.....j.....k.....l.....n.....o.....p.....q.%...r.1...s.B...t.K...v.`...w.m...y.s...z.....|.....}...........................................................................................5...........X.................7.......................q...........,.....G.................C.....V.................&.....5.......................*.................,.....N...........A.......................f.......................].........................................].................-.......................3.................!.....2.......................,.......................;.................A.....R.................E.....R.................>.....J.................C.....P...........U.................'.......................(.....u.......................\.......................}.................9....................... .....y.................8.............................6.................N............ ..... ..... ....4!....z!.....!.....!....Z".....".....".....#....x#.....#

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\uk.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):918373
                                                                                                                                                                                  Entropy (8bit):4.858278654048673
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:/T0LytA6d8Nj7RMRWYPnfzKj0meRi8ICN5rB3IjtAlLEpdcuPLNiXEqqbQS0w:/Ys8Njtgz55E5
                                                                                                                                                                                  MD5:BC19ED011123CE8CE343BA2BE9DAA315
                                                                                                                                                                                  SHA1:D588DF92475BB650D1E2BFC15E558315E90C9425
                                                                                                                                                                                  SHA-256:EF7FFD8792B482829F31924241E6BD12DCCDFDF404A0781BB28747C308649C0A
                                                                                                                                                                                  SHA-512:6B0960807F27C7653E7D851D503F5564F773C9E4290D4745566A0C3911CC0EF12E90F47DE883C541129AD7D294A766F226DC689AA343A00AD72049BF3D5C3713
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........%V.e.....h.....i.....j.....k.....l.....n.....o.....p.#...q.)...r.5...s.F...t.O...v.d...w.q...y.w...z.....|.....}.....................................................................................?...........e.....(.......................!.................{...../.......................J.............................|...........:...........&.....;.........................................K...........9...........3.....Y...............................................!.................\...........$...................................<.....]...........\.................l...........j...........&.............................,.....v.............................. ..... .....!....`!....{!....t"....D#.....#.....$.....$....!%....e%.....%.....%....]&.....&.....&....Y'.....'....x(.....(.....)....<*.....*....++.....+....,,....`,.....,....4-.....-.....-....%............/.....0.....0.... 1.....1.....2.....2.....3...._4.....4....)5.....5....h6.....6.....6....i7.....7....%8....B8.....9.....9....2:

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\ur.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):801665
                                                                                                                                                                                  Entropy (8bit):5.134245422974978
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:Xc/F4PuvV+8PomR0D2nyBO3QU56JhEFZWPOWojYzQYrNwadcJKwU8ueco/9NjjFE:Xcm6V5vWR
                                                                                                                                                                                  MD5:4144860C649699B6237186D186697910
                                                                                                                                                                                  SHA1:A1774F0AE15891A80D40202723E4DF4044788D40
                                                                                                                                                                                  SHA-256:2E0B43AFA9C69288586ED404564EE2F420A87FF7936BDB48EFBF21CE8F58F468
                                                                                                                                                                                  SHA-512:D1E1FF2BDC0E746E84C36B221C7CBBD49A905B6353A23914F1F9F4A9314F495B1D273230C99488F9A3B61980211D90E996165B3DF7A3AA761E374D2A35AC8CD9
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........V%..e.V...h.^...i.f...j.r...k.....l.....n.....o.....p.....q.....r.....s.....t.....v.....w.....y.....z.....|.....}.!.....)...........6.....>.....F.....M.....T.....[.....\.....].....b.....z.............................l.....................................................'.....\.......................:...........E.................H.................7...........C.................|...........y...........Z...........J.....i.......................*.................7.....c.....A.......................<...................................6.....X...........A.................9.................+...........J.................L................./...........+.....w.............................. ..... ....q!.....!....."....."....(#....n#.....#.....$.....$.....$.....$....g%.....%....'&....H&.....'.....'.....(....J(.....(....K).....).....)....W*.....*....2+....X+....*,.....,....$-....U-....%...........\/...../....d0.....1.....1.....1.....2....13.....3.....3....[4.....4.....5....D5.....5....x6.....6

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\vi.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):634523
                                                                                                                                                                                  Entropy (8bit):5.786224749056375
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:HLvU+cmwJlroEKaaF/KtXy0xxcPdI9+vUx5a8hye94KieJziMHo6wtON:rs+cmwJl7a4ti0xeo5a88e1ieliMI6wI
                                                                                                                                                                                  MD5:4185AB945C7550DE028909A55ABD3129
                                                                                                                                                                                  SHA1:0D5DAF37C1A0528C6F1DBA47758FC18938B6F34C
                                                                                                                                                                                  SHA-256:030D29BFC26F9F08DB13455C0D635F33B0315905D27D030D9F7813DADD899603
                                                                                                                                                                                  SHA-512:F500B4957AB0192A570130868BD661F94B4D0CD36D6A9EA5BE45437C95DCD8923CCA1EBFACD9AC98B85420E1D9FA96A74A9D4801432296A87871867672B3C60E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........%^.e.....h.....i.....j.....k.....l.....n.....o.....p.....q."...r.....s.?...t.H...v.]...w.j...y.p...z.....|.....}..................................................................................... .....?.......................1...........E................._...........S.....y...........z.................:......................./...................................K.....}.....=...........O.....}.............................~...........C.....Z...................................X.................\.......................v.................!.................=.....N...........L.........................................+.......................@.......................S.............................^.................c...................................-...........$.....Z.....z.....#............ ....n ..... ....R!.....!.....!....7".....".....".....#.....#.....#....S$....z$.....%.....%....3&....G&.....'.....'.....(....D(.....(....-)....b)....{).....)....N*.....*.....*....3+.....+.....,....<,

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\zh-CN.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):458528
                                                                                                                                                                                  Entropy (8bit):6.664384291438873
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:nRAwX0s66VXNN5zu+E7/56aO/epD659+qjNFEwYHB07ulz:nRA3s6OXNzzt856aO/w65McNFEwmB/
                                                                                                                                                                                  MD5:6AF4D1577C142B87DABD3262F37634C8
                                                                                                                                                                                  SHA1:1B6152757B163455E9E1304E1BA1C09DD6593385
                                                                                                                                                                                  SHA-256:374AED2859320A7287B64A8D1B150F7DE05A931BE3603A541B68DDD64EA361B1
                                                                                                                                                                                  SHA-512:7F0A6CF88634E852B0E3E3B6B8A0C703602F3F606B8B34183D129F55EA2CE120E1C4D2EE2820FE027F025D422EBD0DFFE5F696303C1306F717129985CC0EF826
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........$..e.f...h.n...i.v...j.y...k.....l.....m.....o.....p.....q.....r.....s.....t.....v.....w.....|.....}...................#.....+.....:.....?.....G.....N.....U.....W.....\.....e.....q.........................................C.......................A.......................L.......................P.......................(.....u.......................V.....|.................q.................#.............................f.......................R.......................h.......................G.....a.....{.................4.....@.............................g.......................o.......................O.......................4.............................^.......................y................. .....i.......................E.....j.................8.....\.....n.................O.....o.......................$.............................................../.................`.....r...........>.....v.................;.....a.....p.................!.....1.......................#.......

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\locales\zh-TW.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):453011
                                                                                                                                                                                  Entropy (8bit):6.676159403780886
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:1K2A4c8ADmJUHGF2tuDasg5V5gjkzBMOZQyZV7zeXTA:8Z8Ahwasg5V5gjkzpr/7/
                                                                                                                                                                                  MD5:D6800784F1138702E4973CC5B074FE6C
                                                                                                                                                                                  SHA1:A8938CED7FE5A35163C28214EADD96A6F63A8666
                                                                                                                                                                                  SHA-256:D2C4AEC734BC94FBE7D60666343B4E419BE5E2CD1FF445A8BBF14FB4B8D3D715
                                                                                                                                                                                  SHA-512:3AD3557908E4BA71A5062AB0BE07832D553E6A3BD56BDD59A719DF65A4D9152950AF2DE25C6C410B6407463A862C92D49E9D0EE863BEF27A792AA128458FC7E7
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.........$..e.....h.&...i.7...j.;...k.J...l.U...n.]...o.b...p.j...q.p...r.|...s.....t.....v.....w.....y.....z.....|.....}.............................................................'.....3.....B.....Q...........A.......................9.....b.....n.................`.....r...........".....O.....a.................2.....>.............................f.......................Z.......................R.......................:.......................).......................?.......................E.............................C.....c.....o.................1.....@.............................p.......................S.......................;.............................h.......................e.......................@.....Z.....n................. .............................t.......................].............................g.......................O.....~...................................G.......................Y.......................#.....d.....y.................0.....W.....i...........".

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources.pak

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5281234
                                                                                                                                                                                  Entropy (8bit):7.996903093990653
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:98304:UCNks/PeeUfLi93zJ/HbKKSoDr+cgSrwrNl8dtSip6QaVaK2nwuoM10mpmjy+0V4:UAk03dB7KRcRkrNi/SQaVN2wuJ10Le+1
                                                                                                                                                                                  MD5:54790975C932460FFA375CD0F0F8FFF0
                                                                                                                                                                                  SHA1:05B72FF82ABB8DDAC1A92471F765B87B7FF1E9FD
                                                                                                                                                                                  SHA-256:1EFDD507BB6F4FB07329EC7EC29EE00C952D6390BD5CFE3B41FB307C5CAEAB6C
                                                                                                                                                                                  SHA-512:D74627207CAA35602E68AD6C08A0EBF55FE062E191A1885EB38226755D382DD3407DEA883E4337C5CFF23C1F724D64E5598EDF7A5CE93D4CC1EA6EA10C41AA0E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........5...f.\...{..)..|..,..~.F0.....B.....D.....P....H................V...........B.....k.....M.....c...........F.....$.........t@....u@;...v@....w@....x@c...y@l...~@.&...@.,...@.1...@.1...A.1...A.5...A_7...A.<...A.E...AsT...A/u...Avv...A.w...A.w...A.|..<AL...=AR...>A....?A....@A....AA....BA....CA....DA\....A.....A.....A....RIb...wI....xI....yI....zI....{I.....No)...N.6...N.>...N!B...N.E...N.O...N.P...N.R...NOS...N.....Nn....O.{...O\~..T`....U`....V`....W`x...X`....Y`....Z`v...[`.....`.....`.....`.....`m)...`d,...`.1...`.2...`@4...`.5...`.8...`.=...`.G..0aUO..1a.X..2a.]..3a>d..4a3o..5a~|..6a....7a....8ao...9a....:a....;aV...<a....=a....pb....qb&...rb......V.............................j............................w..................................................9...._........................+$...`'............b........x............................@....7.....>..x..D..y..D..z.YE..{.gF....kH.....I..../....B...@F....G...{H....I....K...2N...<Q....R

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\app.asar

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):14617068
                                                                                                                                                                                  Entropy (8bit):5.79385325281793
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:avGNB5C7vJdzwjRm4A4s4QNhAejRmf4jNdA4J6dR3RfdV3zdT3diacttfh89Wew7:sdiA4s4QE4CPnf/9O
                                                                                                                                                                                  MD5:3BE23F535F4189F279B715002E04051C
                                                                                                                                                                                  SHA1:8881A8840A87F7C099B60CCA5F89CC27CC1CD287
                                                                                                                                                                                  SHA-256:6A8BD45F434D89B24C0396B98922347CBF5C308222B8CE73B5775EFC3BE12847
                                                                                                                                                                                  SHA-512:59076F68AFAFD80D89C4539E6C379C9D238AC5034495F02B95D1DABD935E35000E1B3E3288AA29141386DF40DF41F3B795AAEC9E0AC0A682AC863EC5BF81B05F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:.....d...d...d..{"files":{".gitlab-ci.yml":{"size":5099,"integrity":{"algorithm":"SHA256","hash":"09f5ff625209a83fccc4713de0442c8ff1f40845745d91f2c773bc39dfce6451","blockSize":4194304,"blocks":["09f5ff625209a83fccc4713de0442c8ff1f40845745d91f2c773bc39dfce6451"]},"offset":"0"},"Developer_ID_Application_and_Installer.p12":{"size":6285,"integrity":{"algorithm":"SHA256","hash":"cbf7b680ee72fd3a5cb10af805f29ee260593ea89f04bc83eaadf1a5127f9300","blockSize":4194304,"blocks":["cbf7b680ee72fd3a5cb10af805f29ee260593ea89f04bc83eaadf1a5127f9300"]},"offset":"5099"},"README.md":{"size":1249,"integrity":{"algorithm":"SHA256","hash":"0a63d81f319197c9bf72add393104b12b84471f00c718eae1297fda82f2f7b86","blockSize":4194304,"blocks":["0a63d81f319197c9bf72add393104b12b84471f00c718eae1297fda82f2f7b86"]},"offset":"11384"},"applications.json":{"size":854,"integrity":{"algorithm":"SHA256","hash":"260e10501f9770be3cbe2d0cd583903a51366acefeafaff8c27acfd95003affe","blockSize":4194304,"blocks":["260e10501f9770be3cbe

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\elevate.exe

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):128792
                                                                                                                                                                                  Entropy (8bit):6.771174027481737
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:lHbLnrwQoRDtdMMgSXiFJWcIgUVCfRjV/GrWldO1fQSgqS:lPrwRhte1XsE1loJgf
                                                                                                                                                                                  MD5:3401FBF1785F35748B2E84978E967B83
                                                                                                                                                                                  SHA1:1E9130802E2950C0207A5678022346CAF97073A2
                                                                                                                                                                                  SHA-256:17A1AC7FD38F237E082792A5E1B7DE92A8EB54F785A053F2F0D6D01703CCF2D7
                                                                                                                                                                                  SHA-512:538E29A5B1E23EA60950AB20BB2AF1B7E3AABC8D694225EE3959EDD70393723D95EAD1E76CFFABE7E0723F368AF27C27CCF53F94F9CD4BBCE229089CC5C774F2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..O..............h.......j.q.....k.....e......e......e.......zR........._...h......h.f.............h......Rich....................PE..L......W............................l........0....@.......................................@....................................P.......x................S......T.......p...............................@............0..$............................text............................... ..`.rdata...k...0...l..................@..@.data...............................@....gfids..............................@..@.rsrc...x...........................@..@.reloc..T...........................@..B........................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\node_modules\regedit\vbs\ArchitectureAgnosticRegistry.vbs

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2903
                                                                                                                                                                                  Entropy (8bit):4.900542158148091
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:KDozOLwQ5W/Imgai9dgaijvgEiBP93iNaiBpaiB2EiBO3i3aenaeiEJg37Baevaf:KQxeeIm5i9d5ijvpiBPhiIiBkiB7iB8W
                                                                                                                                                                                  MD5:310A042DCA2144C9CDA556E9BC4B0C02
                                                                                                                                                                                  SHA1:D2032AF7EEA0DBD027A36E577567E85486496949
                                                                                                                                                                                  SHA-256:CAA82E59CA92629057791CB1E0BA0B74C90F561FAC81B029033FC081A83431B0
                                                                                                                                                                                  SHA-512:843D9F6F300CABA8DF41511473C43F4D5029FA0012E593677C83F196C8D595194D1409069FB4B8616E0118F37BA943BBE656B29DE40F0AD70997AB610FD98DB8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:' Notes: wanted to implement this using a class but:.' 1. No matter what I did I could not assign the result of GetObject to a private member.' 2. It looks as if all methods were treated as subs from the outside world which is not good since .' some of these need to return a value.'..Set private_oReg = GetObject("winmgmts:\root\default:StdRegProv")....Function SetStringValue(constHive, strSubKey, strValueName, strValue)...SetStringValue = private_oReg.SetStringValue(constHive, strSubKey, strValueName, strValue)..End Function..Sub GetStringValue(constHive, strKey, strValueName, strValue)..private_oReg.GetStringValue constHive, strKey, strValueName, strValue.End Sub..Function SetExpandedStringValue(constHive, strSubKey, strValueName, strValue)..SetExpandedStringValue = private_oReg.SetExpandedStringValue(constHive, strSubKey, strValueName, strValue).End Function..Sub GetExpandedStringValue(constHive, strKey, strValueName, strValue)..private_oReg.GetExpandedStringValue constHive, strKey,

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\node_modules\regedit\vbs\ArchitectureSpecificRegistry.vbs

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):8639
                                                                                                                                                                                  Entropy (8bit):5.069544854640392
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:KQHS6Su0ECBgJOBSrBExBu1B7UBcxAvBHc2GB3XzB3/5BvtdBv+cB3uxYvBvdH4:K3FxECBqOBSrBExBu1B7UBcxAvBHc2GC
                                                                                                                                                                                  MD5:EE5AF2ED3DD0D9EFBCD172026BDD7260
                                                                                                                                                                                  SHA1:FCEB14612CD086A3E285B5E137B0652E8603B354
                                                                                                                                                                                  SHA-256:6786FE4E7F09D2266678E2BEAEC09C5BC7FEA8BBB2C34033F37A2A4F3779EFC9
                                                                                                                                                                                  SHA-512:B166E68FD6D17D8029B8A2CB3B0ED14CE71B3C607D5182F10E05C7F4D8ECF76300034835670031E283F54FA3FB5DBC165E1AD9A4120140C3FEF98A34D834250E
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:' Notes: wanted to implement this using a class but:.' 1. No matter what I did I could not assign the result of GetObject to a private member.' 2. It looks as if all methods were treated as subs from the outside world which is not good since .' some of these need to return a value..' should be removed when migration is complete.Set private_oReg = GetObject("winmgmts:\root\default:StdRegProv")....Set private_oCtx = CreateObject("WbemScripting.SWbemNamedValueSet").private_oCtx.Add "__ProviderArchitecture", CInt(OSArchitecture)..Set private_oLocator = CreateObject("Wbemscripting.SWbemLocator").Set private_oServices = private_oLocator.ConnectServer(".", "root\default","","",,,,private_oCtx).Set private_oRegSpecific = private_oServices.Get("StdRegProv") ..Function CheckAccess(hDefKey,sSubKeyName,uRequired, bGranted )...Set Inparams = private_oRegSpecific.Methods_("CheckAccess").Inparameters....Inparams.hDefKey = hDefKey....Inparams.sSubKeyName = sSubKeyName....Inparams.uRequired = uRequired

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\node_modules\regedit\vbs\JsonSafeTest.wsf

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:HTML document, Unicode text, UTF-8 text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):217
                                                                                                                                                                                  Entropy (8bit):4.958838262797446
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:SPjDTxAAAbv1V1O9KTWX/HLAqV1O9KNssWQbyMCtHVEQvIf9HHblaDdcK7L0PU:yHgv1e/Eq3JCLLvi9QDl4PU
                                                                                                                                                                                  MD5:B2F8FFF6092358229A94CC309AB6C11B
                                                                                                                                                                                  SHA1:E4C29B96408D58D9196AD971CABC50D05BC94C4C
                                                                                                                                                                                  SHA-256:C2FAB2EB9137FEB5CE29833D58690A0735703A0BD2F38538061758B47A44105F
                                                                                                                                                                                  SHA-512:A1DAE465D9B9BA874D1497485E08D83471D3B97CF1143DCEE6CBC24C0121BB6F1FBBB8AFF66239AAE46AC0B8451FAFB1CF7E7A989493B9F91423DD76756AAD7F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<job id="JsonSafeStreamTest">..<script language="VBScript" src="util.vbs" />..<script language="VBScript">.....str = """" & vbcrlf & "..\"...Write("{ ""a"": """ & JsonSafe(str) & """}" & vbcrlf)..</script>.</job>.

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\node_modules\regedit\vbs\regCreateKey.wsf

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):775
                                                                                                                                                                                  Entropy (8bit):5.103736648548187
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:rrAkRe8qeYjqD7q3mPeHsq81lMWe2hqrFG5G50dOd9yMoP2usRc0NHcR1JTslng5:rlR9q7qvAmwb86EcI72usvcPxseHld4C
                                                                                                                                                                                  MD5:04E6D736DDA6EEC814E5BFF7121A695C
                                                                                                                                                                                  SHA1:BCD113F9B374F977A81E52F1BE21C35E9C815C74
                                                                                                                                                                                  SHA-256:44201185E05845FEF8B56BA9CEA0194EDFFD89D0465B86E055292F84F19526C0
                                                                                                                                                                                  SHA-512:6DB255F72129F080DD259A3E7603CD1C21702A8810454C7935AFFE9A9F443A221A614A39CBFECFDE1B2E13523992BBC8C222A0D763C018BC4EA10FDA0CBFB468
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<job id="createKeyStream">..<script language="VBScript" src="util.vbs" />..<script language="VBScript" src="regUtil.vbs" />..<script language="VBScript">....CheckZeroArgs("usage: cscript regCreateKey.wsf architecture")...DetermineOSArchitecture()...LoadRegistryImplementationByOSArchitecture()....Do While Not stdin.AtEndOfLine....strLine = stdin.ReadLine().......strLine = unescape(trim(strLine)).....If IsNull(strLine) or strLine = "" Then.....WScript.Quit 25127....End If........ParseHiveAndSubKey strLine, constHive, strSubKey.....if IsNull(constHive) Then.....WriteLineErr "unsupported hive " & strLine.....WScript.Quit 25122....End If.....Result = CreateKey(constHive, strSubKey).....If Not Result = 0 Then.........WScript.Quit Result....End If...Loop..</script>.</job>

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\node_modules\regedit\vbs\regDeleteKey.wsf

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):695
                                                                                                                                                                                  Entropy (8bit):5.08983740554656
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12:ae8qeYjqD7q3iHsq81lMWe2hqrFGEFG40dOd9w5c0NHcR1JTsquaOlAo4C:a9q7qvAkb86EcgNncPxsfHld4C
                                                                                                                                                                                  MD5:82BD86D76A25E9D3BC5E7FFB15311B16
                                                                                                                                                                                  SHA1:F749B997B38DE6DF0F06380049E0CC370BD633CC
                                                                                                                                                                                  SHA-256:3DB8EE7F2056D79A97FAFDCC7369867E7B49ECAA58B7C6AD442BE858E1DCC6C2
                                                                                                                                                                                  SHA-512:EB1876453AEEA894E0C99314F20D54883E45AA29A9305E3A1CFC55187BF9A4ABF299D955A7EE8F53F6480A10CDC803E3464759E01B330F93264892FC999823BB
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<job id="deleteKey">..<script language="VBScript" src="util.vbs" />..<script language="VBScript" src="regUtil.vbs" />..<script language="VBScript">....CheckZeroArgs("usage: cscript regDeleteKey.wsf architecture")...DetermineOSArchitecture()...LoadRegistryImplementationByOSArchitecture()....Do While Not stdin.AtEndOfLine........strLine = stdin.ReadLine()....strLine = unescape(trim(strLine)).......ParseHiveAndSubKey strLine, constHive, strSubKey.....if IsNull(constHive) Then.....WriteLineErr "unsupported hive " & strLine.....WScript.Quit 25122 ....End If.....Result = DeleteKey(constHive, strSubKey).....If Not Result = 0 Then.........WScript.Quit Result....End If...Loop..</script>.</job>

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\node_modules\regedit\vbs\regList.wsf

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):985
                                                                                                                                                                                  Entropy (8bit):5.201314794064873
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:3AgreMToW9q7qdAaxgw86EMVcw7WcPKWWsyA4C:3AyeMTh9q7qRb8jMVX7WnWVyLC
                                                                                                                                                                                  MD5:CAE7DB4194DE43346121A463596E4F4F
                                                                                                                                                                                  SHA1:F72843FA7E2A8D75616787B49F77B4380367FF26
                                                                                                                                                                                  SHA-256:B65C5AF7DBEB43C62F6A5528AF6DB3CB1CA2A71735A8E7A1451796F834E355C2
                                                                                                                                                                                  SHA-512:CCEE660CC4878301C743D3EBDE4557DC180D8B6F77C97DE5E36C95F6E4D2446EF7BE28EBC787FDEA2F2D817890AC7BDB713196C755A51677DC127CCE77670026
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:' .'.Lists the sub keys and values of a given registry key.'.'.cscript regList.wsg HKLM\Software.'.'.Will Yield:.'.'.{.'.."hklm\software": { .'..."keys": [ .. array of sub keys .. ], .'..."values": { .'...."moo": { .'....."type": "REG_SZ", .'....."value": "bar".'....}.'...}.'..}.'.}.<job id="list">..<script language="VBScript" src="util.vbs" />..<script language="VBScript" src="regUtil.vbs" />..<script language="VBScript">.....CheckZeroArgs("usage: cscript regList.wsf architecture regpath1 [regpath2] ... [regpathN]")...DetermineOSArchitecture()...LoadRegistryImplementationByOSArchitecture().....Write "{"...For v = 1 To args.Count - 1....if (v > 1) Then.....Write ","....End If........Write """" & JsonSafe(args(v)) & """: "........ParseHiveAndSubKey args(v), constHive, strSubKey.....if IsNull(constHive) Then.....WriteLineErr "unsupported hive " & args(v).....WScript.Quit 25122 ....End If.....ListChildrenAsJson constHive, strSubKey...Next...Write "}"..</script>.</job>

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\node_modules\regedit\vbs\regListStream.wsf

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1095
                                                                                                                                                                                  Entropy (8bit):5.116448046938126
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:3AgrlLcMToW9q7qdAab86EWNncPxsPV4C:3AylcMTB9q7qRb8jmnXP6C
                                                                                                                                                                                  MD5:EE5A8DDC32D31C4088EA5E15A5076D6A
                                                                                                                                                                                  SHA1:0C8667D5899B7924994D39C8B887A2EBC9B50A79
                                                                                                                                                                                  SHA-256:D482B452AF9DA79C27DB2341891841EC4CFC1D18D5685778DDDA97F082F313EC
                                                                                                                                                                                  SHA-512:B4EAD3A4CF5AAD1A88F9D24E5DD9A7418511441A3AD23634102CB8EB7871B10C2720368F6912478F6DC1C627FC051FB2C81B9B4C0F54A5D50301EB324B437C99
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:' .'.Lists the sub keys and values of a given registry key, this script is slightly different.'.than regList because it reads stdin for the keys to list.'.'.cscript regList.wsg HKLM\Software.'.'.Will Yield:.'.'.{.'.."hklm\software": { .'..."keys": [ .. array of sub keys .. ], .'..."values": { .'...."moo": { .'....."type": "REG_SZ", .'....."value": "bar".'....}.'...}.'..}.'.}.<job id="listStream">..<script language="VBScript" src="util.vbs" />..<script language="VBScript" src="regUtil.vbs" />..<script language="VBScript">.....CheckZeroArgs("usage: cscript regList.wsf architecture")...DetermineOSArchitecture()...LoadRegistryImplementationByOSArchitecture()......Do While Not stdin.AtEndOfLine.....strLine = stdin.ReadLine()....strLine = unescape(trim(strLine)).......ParseHiveAndSubKey strLine, constHive, strSubKey.....if IsNull(constHive) Then.....WriteLineErr "unsupported hive " & strLine.....WScript.Quit 25122 ....End If.....Write "{ ""key"" : """ & JsonSafe(strLine) & """, ""data"

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\node_modules\regedit\vbs\regPutValue.wsf

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:HTML document, ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):1315
                                                                                                                                                                                  Entropy (8bit):5.205855538505303
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:ap9q7qwRGecpABO+86EKSrNm2uskzrUSF0PgpQsa7+AShhsdSMaFGSoYai64MPSw:ap9q7q/ecm8j9m2N+Q8a7yhsdxYai64q
                                                                                                                                                                                  MD5:41E0AD02B82C3DC024B68D95C98EA10D
                                                                                                                                                                                  SHA1:956116C92C52AEA91CFCAB3CE331F9EC27F27F7C
                                                                                                                                                                                  SHA-256:F25A275CC00918AB1633F9026E66FF194A43D843D799F3EDF52D527F7D3209D8
                                                                                                                                                                                  SHA-512:8BAC8BB56E8825F31F774977A2BCCE769196DCA8093C43A11737B581786D57F4808D3FE97262E062AAF41594C46A320F1065E5726374B66F2FA577CDE8F07F5F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:<job id="putValue">..<script language="VBScript" src="util.vbs" />..<script language="VBScript" src="regUtil.vbs" />..<script language="VBScript">...usage = "usage: cscript regPutValue.wsf architecture" & vbNewLine _......& "types: REG_SZ, REG_EXPAND_SZ, REG_BINARY, REG_DWORD, REG_MULTI_SZ, REG_QWORD".....CheckZeroArgs(usage)...DetermineOSArchitecture()...LoadRegistryImplementationByOSArchitecture()......ReadCount = 0...Dim lineArgs(3)....Do While Not stdin.AtEndOfLine....strLine = stdin.ReadLine()....strLine = unescape(trim(strLine))........If IsNull(strLine) or strLine = "" Then.....WScript.Quit 25127....End If.....lineArgs(ReadCount) = strLine........ReadCount = ReadCount + 1.....If ReadCount = 4 Then......ParseHiveAndSubKey lineArgs(0), constHive, strSubKey..........if IsNull(constHive) Then......WriteLineErr "unsupported hive " & lineArgs(0)......WScript.Quit 25122.....End If......strValueName = lineArgs(1).....strValue = lineArgs(2).....strType = lineArgs(3)..........Result = Put

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\node_modules\regedit\vbs\regUtil.vbs

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):8106
                                                                                                                                                                                  Entropy (8bit):5.258136673571623
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:uL5OpODtmFCuOFRO5OL+TTrXzySl2lOcoiRebCULcvBJW5fdrLWYKdrehvp4v5vI:uL52GMFd0c58+TTrXzrskc/q/LaBY5f3
                                                                                                                                                                                  MD5:77E85AA761F75466E78CE420FDF67A31
                                                                                                                                                                                  SHA1:4470BD4D215D7682828CBC5F7F64993C078B2CAA
                                                                                                                                                                                  SHA-256:350DEA3D6C8E65372F8D12A5FD92A3A46A7519610C69564E8185A2ED66B00D59
                                                                                                                                                                                  SHA-512:50AF664777545CED78C34A6EA35DAE542FDB85B8B307A4A4A95DB25A808A695D3FE8840EDB36325279C2381FBAE071F6B509F7491185CEF2F42AFCB7672CFD13
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:' TODO: consider incorporating a json writer of some sort instead of adhoc solution like the following.' e.g: http://demon.tw/my-work/vbs-json.html..const HKEY_CLASSES_ROOT = &H80000000.const HKEY_CURRENT_USER = &H80000001.const HKEY_LOCAL_MACHINE = &H80000002.const HKEY_USERS = &H80000003.const HKEY_CURRENT_CONFIG = &H80000005..Sub LoadRegistryImplementationByOSArchitecture()..If IsNull(OSArchitecture) Then...WriteLineErr "missing OSArchitecture global. did not call util.DetermineOSArchitecture? or Forgot to load util.vbs?"...WScript.Quit 25125....End If...If OSArchitecture = "A" Then...Include "ArchitectureAgnosticRegistry.vbs"..Else...Include "ArchitectureSpecificRegistry.vbs"..End If.End Sub ..Function PutValue(constHive, strSubKey, strValueName, strValue, strType)..Select Case UCase(strType)......Case "REG_SZ"....PutValue = SetStringValue(constHive, strSubKey, strValueName, strValue)....Case "REG_EXPAND_SZ"....PutValue = SetExpandedStringValue(constHive, strSubKey, strValueName, s

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\resources\node_modules\regedit\vbs\util.vbs

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:ASCII text
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4150
                                                                                                                                                                                  Entropy (8bit):5.218396921355448
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:o+fVSqeeysrTAo+rx86QK1yP6tsB1f0Or:npUxd8EyP6tiz
                                                                                                                                                                                  MD5:E2BE267C02D51DF566FA726FC8AA075A
                                                                                                                                                                                  SHA1:C9B9AE17F36E23D5D3CBBF2D6F17A954BFA87D24
                                                                                                                                                                                  SHA-256:B2EFD5E0C2F695063A8BCE40C8182AA70F33C4B1B77D232B7530D89FB9646F0C
                                                                                                                                                                                  SHA-512:B6F80622A9F61F636F7786D91A1B9E06A64602F0898425E90A1A696D0A4855C8C08CBD6E6B98B9A3A1A24DE354B26260247953B5273F7D57EA87294B4B142E8A
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:Set stdout = WScript.StdOut.Set stderr = WScript.StdErr.Set stdin = WScript.StdIn.Set args = WScript.Arguments.Set fs = CreateObject("scripting.filesystemobject") .Dim OSArchitecture..Sub WriteErr(message)..stderr.Write message.End Sub..Sub WriteLineErr(message)..stderr.WriteLine message.End Sub..Sub Write(message)..stdout.Write message.End Sub..Sub WriteLine(message)..stdout.WriteLine message.End Sub..Function IndexOf(varNeedle, arrHaystack)..IndexOf = -1....If Not IsArray(arrHaystack). Then...Exit Function..End If...For xyz = 0 To UBound(arrHaystack)...If arrHaystack(xyz) = varNeedle Then....IndexOf = xyz....Exit Function...End If..Next.End Function..Sub CheckZeroArgs(message)..' bail if args are missing..If args.Count = 0 Then...WriteLineErr message...WScript.Quit 25121..End If.End Sub..Dim ALLOWED_OS_ARCHITECTURE_VALUES: ALLOWED_OS_ARCHITECTURE_VALUES = Array("S", "A", "32", "64")..'.'.determine the architecture of the operating system, that will be used. there are 4 possibilities:

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\snapshot_blob.bin

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):306214
                                                                                                                                                                                  Entropy (8bit):4.392850925698206
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:ogusbBDoCIdRSt25iD1Z3yAcCLi9wfuwWMvDdkbMzaQ:ogus9oCM9OUYffnWYWbIF
                                                                                                                                                                                  MD5:AEDD1B80A8140B94C00DB3C0B9485772
                                                                                                                                                                                  SHA1:2DC8444E599438ED37A31EBFE7F8859AF7FAC631
                                                                                                                                                                                  SHA-256:C1DA41052ABE31791AE90A9DBE54442A641E1ECBB018EF35C44E7AED05B8F72E
                                                                                                                                                                                  SHA-512:3E06CB550F46285D8DC81D1F082732C07E9C9D81ABE931E859262C7BA699D4EB9737581F5A5C5174E09BB0FC0561A9DE46298714CED38F453F922F9536C67D0C
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:...............12.2.281.27-electron.0..........................................8L..N...........$....K..a........a........a2.......ar.......a2.......aT.........."..............B..............b........."..............B........(Jb....L.....@..F^.-..1.`.....(Jb...2P.....@..F^..`.....H...IDa........Db............D`.....).D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L.........................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\v8_context_snapshot.bin

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):679161
                                                                                                                                                                                  Entropy (8bit):5.217457437935302
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:m/h8ML2Zu/Bg90Ws9oCM9Otxh6vtDINPbIgTtLAkW/cB2Z0JZkQXEzBO+lZ:myMSZu/Bg90BuCzIP/+2ZGZazJlZ
                                                                                                                                                                                  MD5:0C259ECBB12E6F3F0E076E6200221489
                                                                                                                                                                                  SHA1:3DE53DCAFDCE24C151DD1812769B46ACEA77C90C
                                                                                                                                                                                  SHA-256:83A8345EA197020E07FE2CF53E74F31D0CC632CA1537F5C9C1DB2FB2665AB04F
                                                                                                                                                                                  SHA-512:6EF39EE8B7D40C5E6C0E79F8C4E846D431A6A87711D025122E2E7F060C5754FFF917771D5EDE6ADEC3BE909FB5CE0E8EB1DF5E18142ECDB6339BDDE8CE2C8398
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:........a. ..?h12.2.281.27-electron.0..................................................................$...x...a........a........a........ar.......a2.......aT.........."..............B..............b........."..............B........(Jb....L.....@..F^.-..1.`.....(Jb...2P.....@..F^..`.....H...IDa........Db............D`.....).D`.....D]D....D`......WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa...........WIa............L.................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\vk_swiftshader.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):5312000
                                                                                                                                                                                  Entropy (8bit):6.364537003040197
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:49152:YL1wrvfRIQkXfBe1IlA8gE+LGHEYXb3GNfsUd9QjqZztkJCP1pSN6WxHEmp+DnnV:81w7weOqiFIYBgTE
                                                                                                                                                                                  MD5:8FE00EBE76542263463877F27417EC61
                                                                                                                                                                                  SHA1:763502E57A3C4FBE5FC25EE7E9C942D94505D244
                                                                                                                                                                                  SHA-256:46AFB1ED7AB1B1A679E00784B2E78CC2358CEC615553699624FF77882F55787B
                                                                                                                                                                                  SHA-512:62B375B40EEDF04D03D8465570634B56D529E9525BD6D81BE94B40C7DA21CCCAA808BE97649F9404DED9EDD5CE129F9FB1D462C6A1986A25FA8A228857CDA5A2
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." .....n@...........:.......................................R...........`A.........................................sL.......L.P.....Q......0P..^............R.t~...0L.....................x/L.(...@.@.@........... .L.P............................text....m@......n@................. ..`.rdata........@......r@.............@..@.data........pM......ZM.............@....pdata...^...0P..`....N.............@..@.gxfg....-....Q......TP.............@..@.retplne......Q.......P..................tls....Y.....Q.......P.............@..._RDATA..\.....Q.......P.............@..@.rsrc.........Q.......P.............@..@.reloc..t~....R.......P.............@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\vk_swiftshader_icd.json

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):106
                                                                                                                                                                                  Entropy (8bit):4.724752649036734
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:YD96WyV18tzsmyXLVi1rTVWSCwW2TJHzeZ18rY:Y8WyV18tAZLVmCwXFiZ18rY
                                                                                                                                                                                  MD5:8642DD3A87E2DE6E991FAE08458E302B
                                                                                                                                                                                  SHA1:9C06735C31CEC00600FD763A92F8112D085BD12A
                                                                                                                                                                                  SHA-256:32D83FF113FEF532A9F97E0D2831F8656628AB1C99E9060F0332B1532839AFD9
                                                                                                                                                                                  SHA-512:F5D37D1B45B006161E4CEFEEBBA1E33AF879A3A51D16EE3FF8C3968C0C36BBAFAE379BF9124C13310B77774C9CBB4FA53114E83F5B48B5314132736E5BB4496F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:{"file_format_version": "1.0.0", "ICD": {"library_path": ".\\vk_swiftshader.dll", "api_version": "1.0.5"}}

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\7z-out\vulkan-1.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):954368
                                                                                                                                                                                  Entropy (8bit):6.588968362833733
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24576:CkMYSDIukxvnwhdzY96Z5WiDYsH56g3P0zAk7lE1:Cku0fwhC96Z5WiDYsH56g3P0zAk7l
                                                                                                                                                                                  MD5:D8F31216785E204DA9BAD10E9F3734B7
                                                                                                                                                                                  SHA1:BE7F53566DBAEC5DBE61AFC76BF7401CFC42EF08
                                                                                                                                                                                  SHA-256:FA6B4E20EB448746E2EFF9A7FDE7A62585E371F3497A6A928EADE0A8CE8C1A9F
                                                                                                                                                                                  SHA-512:D7EF5EF7ED9B5559E107369849ADCD18FB9C9C3A90033731A46C4B5D3BA431582936E54E5B5918CE19A667B3F1EB369A93BC3F9A03DF8E5397E5F80DC21A61A1
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..d......f.........." ......................................................... ............`A............................................<!...3..P............ ..Xq..............(...,...........................(...@...@............8...............................text...{........................... ..`.rdata..............................@..@.data...pL......."..................@....pdata..Xq... ...r..................@..@.gxfg...P).......*...N..............@..@.retplne.............x...................tls.................z..............@..._RDATA..\............|..............@..@.rsrc................~..............@..@.reloc..(...........................@..B........................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SpiderBanner.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):9216
                                                                                                                                                                                  Entropy (8bit):5.5347224014600345
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:5lkE3uqRI1y7/xcfK4PRef6gQzJyY1rpKlVrw:5lkMBI1y7UKcef6XzJrpKY
                                                                                                                                                                                  MD5:17309E33B596BA3A5693B4D3E85CF8D7
                                                                                                                                                                                  SHA1:7D361836CF53DF42021C7F2B148AEC9458818C01
                                                                                                                                                                                  SHA-256:996A259E53CA18B89EC36D038C40148957C978C0FD600A268497D4C92F882A93
                                                                                                                                                                                  SHA-512:1ABAC3CE4F2D5E4A635162E16CF9125E059BA1539F70086C2D71CD00D41A6E2A54D468E6F37792E55A822D7082FB388B8DFECC79B59226BBB047B7D28D44D298
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.../../../..Wy./../../....../..Wi./..Wx./..W~./..W{./..Rich./..................PE..L...T{mW...........!................p!.......0...............................p............@..........................5..o...l1..P....P.......................`.......................................................0...............................text............................... ..`.rdata.......0......................@..@.data........@......................@....rsrc........P......................@..@.reloc..d....`....... ..............@..B........................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\StdUtils.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):102400
                                                                                                                                                                                  Entropy (8bit):6.729923587623207
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3072:WNuZmJ9TDP3ahD2TF7Rq9cJNPhF9vyHf:WNuZ81zaAFHhF9v
                                                                                                                                                                                  MD5:C6A6E03F77C313B267498515488C5740
                                                                                                                                                                                  SHA1:3D49FC2784B9450962ED6B82B46E9C3C957D7C15
                                                                                                                                                                                  SHA-256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E
                                                                                                                                                                                  SHA-512:9870C5879F7B72836805088079AD5BBAFCB59FC3D9127F2160D4EC3D6E88D3CC8EBE5A9F5D20A4720FE6407C1336EF10F33B2B9621BC587E930D4CBACF337803
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........q....C...C...C...C...C...C...C...C...C...C...C...C...C.[.C...C.[.C...C.[.C...C.[.C...CRich...C........................PE..L...I..[...........!.....*...b...............@.......................................+....@..........................}..d....t..........X............................................................................@...............................text....).......*.................. ..`.rdata..TC...@...D..................@..@.data...l............r..............@....rsrc...X............x..............@..@.reloc..j............~..............@..B................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\System.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):12288
                                                                                                                                                                                  Entropy (8bit):5.719859767584478
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
                                                                                                                                                                                  MD5:0D7AD4F45DC6F5AA87F606D0331C6901
                                                                                                                                                                                  SHA1:48DF0911F0484CBE2A8CDD5362140B63C41EE457
                                                                                                                                                                                  SHA-256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
                                                                                                                                                                                  SHA-512:C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\app-64.7z

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:7-zip archive data, version 0.4
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):78141621
                                                                                                                                                                                  Entropy (8bit):7.999996239109227
                                                                                                                                                                                  Encrypted:true
                                                                                                                                                                                  SSDEEP:1572864:C2um44HiI3Bbzg13iXyBGHG3cv4JW4/KMYAMvJmiftz1Y/g3/trsW9TNd8gUNXE:CTm4vIutyYJo+sUifl1YK/trs1gp
                                                                                                                                                                                  MD5:C61B218A36D2C1ACF12850705B82FAB7
                                                                                                                                                                                  SHA1:86D655F287EE48E883D26AF32CE6D2BC2047E72E
                                                                                                                                                                                  SHA-256:DB93B23692E2305373FBEA8C549C322A583DC68DBDF9941F04B1DD259D3838D1
                                                                                                                                                                                  SHA-512:378A6FAAF834924E26187097EFBFA314DE3E84532AAB085CB613CE337C3F961BE587D600B4347632BBC57071EA08E0ACB5C9B63C99BB10EF75DCE8A54406B4CC
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:7z..'...Nx.xpX......%................]...6....*o[.2.....o......P...&..&..Az-.z.d.].7...,N.?#..<.;9S$.w...).RE.....T..i..j...2.[.E.....7$....0|. ...,.Mo..s...+5..iXz.h....i..E2...xYh4(X...#).F..ik:*....wB......4#.......:~s.F-u...+.....fh.X..+..Kx..^GK.Yd...&...%+...2}...M.y..CY.._.....E%......m.p\........FB.Q:..xW..8.-...J...7N.c..l.rO......?(J$X..=.1.....z+v...cO@. %.d..V.5.*.......^.|#...0....gW..C..K:.l...R...;........Q.uZ{{.xR*. ....k.@...4.[@.(.'.~.0..}"..*P3...r........{o..Y.X....<..'a.P...4Oy.=F....c.2.OT1._.H..C.......8.(u...<bz....u#d....I..m..%.....B.?..#e....t;..H..f....w..^.......7.zf.]s[....=.._6.X8..1(..Ui.:..c.U......a.H.G.pq..a..k$..6.).'.kt:.i.`......"*t.c......Kg.T6~.....i..H.K.o..(..\......=...t.,.xa3.%."...w..x..9..|.5[.}.k......-...BY.[+$d....$g@.....`..b...../?..~...G.....l*r0..g.3i....lqwO4...j..5....A.#.t)..[.XX.I..yS..4."%d.v.... R:O[&IO..g...(.04T......[...O'a..[2h%..++......7.s.a..d...`..T....'./.%.f..#..tg

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\nsProcess.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):4608
                                                                                                                                                                                  Entropy (8bit):4.703695912299512
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:48:Sz4joMeH+Iwdf8Rom/L+rOnnk5/OCnXeAdbdOAa4GPI+CJ87eILzlq7gthwIsEQW:64c/eFdfS/SSnkxNa4G+ueqPuCtGsj
                                                                                                                                                                                  MD5:F0438A894F3A7E01A4AAE8D1B5DD0289
                                                                                                                                                                                  SHA1:B058E3FCFB7B550041DA16BF10D8837024C38BF6
                                                                                                                                                                                  SHA-256:30C6C3DD3CC7FCEA6E6081CE821ADC7B2888542DAE30BF00E881C0A105EB4D11
                                                                                                                                                                                  SHA-512:F91FCEA19CBDDF8086AFFCB63FE599DC2B36351FC81AC144F58A80A524043DDEAA3943F36C86EBAE45DD82E8FAF622EA7B7C9B776E74C54B93DF2963CFE66CC7
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........s.I...I...I...n}f.L...I...P...@..K...@..H...@..H...RichI...........................PE..L...\..N...........!......................... ...............................`.......................................#....... ..<....@.......................P..|.................................................... ..d............................text............................... ..`.rdata....... ......................@..@.data... ....0......................@....rsrc........@......................@..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsn4886.tmp\nsis7z.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):434176
                                                                                                                                                                                  Entropy (8bit):6.584811966667578
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:6144:aUWQQ5O3fz0NG3ucDaEUTWfk+ZA0NrCL/k+uyoyBOX1okfW7w+Pfzqibckl:an5QEG39fPAkrE4yrBOXDfaNbck
                                                                                                                                                                                  MD5:80E44CE4895304C6A3A831310FBF8CD0
                                                                                                                                                                                  SHA1:36BD49AE21C460BE5753A904B4501F1ABCA53508
                                                                                                                                                                                  SHA-256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592
                                                                                                                                                                                  SHA-512:C8BA7B1F9113EAD23E993E74A48C4427AE3562C1F6D9910B2BBE6806C9107CF7D94BC7D204613E4743D0CD869E00DAFD4FB54AAD1E8ADB69C553F3B9E5BC64DF
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.6a..X2..X2..X2m.[3..X2m.]3..X2Z.]3+.X2Z.\3..X2Z.[3..X2m.\3..X2m.Y3..X2..Y2..X2..\3#.X2..]3..X2..X3..X2...2..X2...2..X2..Z3..X2Rich..X2........PE..L.....\...........!......................... ...............................@............@..........................6.......7..d................................E.....................................@............ ...............................text............................... ..`.rdata..8"... ...$..................@..@.data........P... ...6..............@....rsrc................V..............@..@.reloc...E.......F...Z..............@..B........................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Wildix\WIService\wissettings.json

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):55
                                                                                                                                                                                  Entropy (8bit):4.606283522923009
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:BCZHUBJQfsfDcRVLSX8:BO0GsfARVr
                                                                                                                                                                                  MD5:8DFA1309279558B854DFA8F976856F4E
                                                                                                                                                                                  SHA1:137DC9302A16C585EE54639509BEEAAE1BF24B53
                                                                                                                                                                                  SHA-256:393BADFF35DE52CF203F7CB979BA66FBD9A66DAEFBE495E33C1A9C8CE4BE2ACA
                                                                                                                                                                                  SHA-512:F7E7E96A61CAF8B04D1A921160D40F800CAF7750531135ACACD0EAEFCCFD680F55EE16166383ED6A1AC5AF8C2DCE1C154685638729FE12B804F4700D4F995C03
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:{. "log_str": "5ddd1d9a-57c0-49d2-b2c3-9f9406b7805c".}

                                                                                                                                                                                  C:\Users\user\AppData\Roaming\Wildix\WIService\wissettings.json.backup

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                  File Type:JSON data
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):55
                                                                                                                                                                                  Entropy (8bit):4.606283522923009
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:BCZHUBJQfsfDcRVLSX8:BO0GsfARVr
                                                                                                                                                                                  MD5:8DFA1309279558B854DFA8F976856F4E
                                                                                                                                                                                  SHA1:137DC9302A16C585EE54639509BEEAAE1BF24B53
                                                                                                                                                                                  SHA-256:393BADFF35DE52CF203F7CB979BA66FBD9A66DAEFBE495E33C1A9C8CE4BE2ACA
                                                                                                                                                                                  SHA-512:F7E7E96A61CAF8B04D1A921160D40F800CAF7750531135ACACD0EAEFCCFD680F55EE16166383ED6A1AC5AF8C2DCE1C154685638729FE12B804F4700D4F995C03
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:{. "log_str": "5ddd1d9a-57c0-49d2-b2c3-9f9406b7805c".}

                                                                                                                                                                                  C:\Windows\System32\spool\drivers\x64\imgprint.gpd

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7996
                                                                                                                                                                                  Entropy (8bit):5.128824009655858
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:Iwr2yWGyAH155NpoEdyb76f8upG2sIkQTkpfpBnquMpBnqF5zqps2dXRSXjKMoy8:IHa1Hj7k2sI90mHmF52pbye9U/Prtk
                                                                                                                                                                                  MD5:9CB68B693CDCDF5E9E5707E3CABCA7A7
                                                                                                                                                                                  SHA1:29A5537387519BC14138F02C5355EAB2EB923AA3
                                                                                                                                                                                  SHA-256:D79405A4F2A390407B78B1DC7FEEBE3A533EA9969F6066F5A12F189502D900F0
                                                                                                                                                                                  SHA-512:765EDDDD3CE8995DC66AB5578462F12CD52007FDEBF3C6DE412BAF4C094E17FDB286BDEB0A6ECC6FE2347C0BB846F4D2A206DD78BC128111E84918F50B57E7F8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:*% ..*% ..*% ..*GPDSpecVersion: "1.0"..*GPDFileName: "imgprint.gpd"..*GPDFileVersion: "3.1.0" ..*Include: "StdNames.gpd"..*ModelName: "Wildix FaxPrinter"..*MasterUnits: PAIR(1200, 1200)..*ResourceDLL: "unires.dll"..*PrinterType: PAGE..*MaxCopies: 99......*Feature: Orientation..{.. *rcNameID: =ORIENTATION_DISPLAY.. *DefaultOption: PORTRAIT.. *Option: PORTRAIT.. {.. *rcNameID: =PORTRAIT_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "<1B>&l0O".. }.. }.. *Option: LANDSCAPE_CC90.. {.. *rcNameID: =LANDSCAPE_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.6.. *Cmd: "<1B>&l1O".. }.. }..}..*Feature: InputBin..{.. *rcNameID: =PAPER_SOURCE_DISPLAY.. *DefaultOption: MANUAL.. *Option: MANUAL.. {.. *rcNameID: =MANUAL_FEED_DISPLAY.. *Command: CmdSelect.. {.. *Order: DOC_SETUP.9.. *Cmd: "<1B>&l2H

                                                                                                                                                                                  C:\Windows\System32\spool\drivers\x64\stddtype.gdl

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):23812
                                                                                                                                                                                  Entropy (8bit):5.102231290969022
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:ILAp44CzsyQKElOR2x96a7zXql8wYNz6FkjzEgqgF6Lvztmm/jb5/R6B3VjMcBU0:ILAe40VxYJ7zvWrfZmujb5mVjlQrlGwI
                                                                                                                                                                                  MD5:D46A5DFAB2AC1BB5BF39D4E256E3AB43
                                                                                                                                                                                  SHA1:FD19097E89D882E5624E8822FF8D7518D104B31C
                                                                                                                                                                                  SHA-256:0E93309B477971AD9D744FB1BB6AFDE1AF7D31223E90B5E8A4E5EA13CC5B8CD9
                                                                                                                                                                                  SHA-512:FE6C5CD5DA0E045E9F823D34E393E158F56A3136966971F0D494092257956FBEA29ACC98E94B50AA785CF426DBACDAFFCC0B0F7872E7F63A2F270A174C0F4BCA
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:*% stddtype.gdl - this file contains templates that define all MS standard datatypes..*% that appear in GPD and GDL files.....*PreCompiled: TRUE......*% ==================..*% ==== Macro Definitions ====..*% ==================....*Macros:..{.. LIST_OF_COMMAND_NAMES : (.. *%.. *% GENERAL.. *%.. *% the following are not enumerated here because they require.. *% the full Command structure. See Template: ORDERED_COMMAND.. *% and its descendants..... *% CmdSelect,.. *% CmdStartJob,.. *% CmdStartDoc,.. *% CmdStartPage,.. *% CmdEndPage,.. *% CmdEndDoc,.. *% CmdEndJob,.. *% CmdCopies,.. *% CmdSleepTimeOut,.... *%.. *% CURSOR CONTROL.. *%.. CmdXMoveAbsolute,.. CmdXMoveRelLeft,.. CmdXMoveRelRight,.. CmdYMoveAbsolute,.. CmdYMoveRelUp,.. CmdYMoveRelDown,.. CmdSetSimpleRotation,.. CmdSetAnyRotation,.. CmdUniDirec

                                                                                                                                                                                  C:\Windows\System32\spool\drivers\x64\stdnames.gpd

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):14362
                                                                                                                                                                                  Entropy (8bit):4.18034476253744
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:NcThm8JC986ITRCzEzEpYNwtd29u7ZTl8hF:xFzOnS7z0
                                                                                                                                                                                  MD5:CD0BA5F62202298A6367E0E34CF5A37E
                                                                                                                                                                                  SHA1:0507C7264281EFB362931DEB093308A5CC0F23A5
                                                                                                                                                                                  SHA-256:B5E8E0C7339EF73F4DD20E2570EE2C79F06CA983F74D175DBE90C0319C70CE3A
                                                                                                                                                                                  SHA-512:0DA97D886BBF6E06BDEF240B0CA32E80ED56140349902F2A58FCD00A95F85AEDEABB779CA99308DA39E995BDB7C179E2D7A0705643AF609EC7E05323964851F8
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:*%%% Copyright (c) 1997-1999 Microsoft Corporation..*%%% value macros for standard feature names and standard option names..*%%% used in older Unidrv's.....*CodePage: 1252 *% Windows 3.1 US (ANSI) code page....*Feature: RESDLL..{.. *Name: "resource dll files".. *ConcealFromUI?: TRUE.... *Option: UniresDLL.. {.. *Name: "unires.dll".. }..}....*Macros: StdFeatureNames..{.. ORIENTATION_DISPLAY: RESDLL.UniresDLL.11100.. PAPER_SIZE_DISPLAY: RESDLL.UniresDLL.11101.. PAPER_SOURCE_DISPLAY: RESDLL.UniresDLL.11102.. RESOLUTION_DISPLAY: RESDLL.UniresDLL.11103.. MEDIA_TYPE_DISPLAY: RESDLL.UniresDLL.11104.. TEXT_QUALITY_DISPLAY: RESDLL.UniresDLL.11105.. COLOR_PRINTING_MODE_DISPLAY: RESDLL.UniresDLL.11106.. PRINTER_MEMORY_DISPLAY: RESDLL.UniresDLL.11107.. TWO_SIDED_PRINTING_DISPLAY: RESDLL.UniresDLL.11108.. PAGE_PROTECTION_DISP

                                                                                                                                                                                  C:\Windows\System32\spool\drivers\x64\stdschem.gdl

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):59116
                                                                                                                                                                                  Entropy (8bit):5.051886370413466
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:768:UH8K0RGmALhTYi6AmdDsaCXmSsUN2xHXgutLSsy3o+ndhr54:UH8K0RGmAd58D+iLBHad4
                                                                                                                                                                                  MD5:FC574EB0EAAF6A806F6488673154F91F
                                                                                                                                                                                  SHA1:E10B44CF7082FE5BE23FB0C19AC792D4692F6388
                                                                                                                                                                                  SHA-256:941E5318D8BBD747AFA98982C0354516079175ACD3D7485F327BCC384F4FCFB8
                                                                                                                                                                                  SHA-512:A04CAC69A4DD4BD951CDC0F5186A3F589DA2EA40D667BE855F9E5AED12ECD9F7FC79FD624361C9563A07A5DCC1250CBD628BA27A0FAD78D599CD68540F9B4F45
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:*% stdschem.gdl - this file contains templates that define all MS standard keywords..*% and constructs that appear in GPD and GDL files.....*PreCompiled: TRUE....*Include: "stddtype.gdl"......*% ==================..*% ==== Base Attributes ====..*% ==================........*Template: DISPLAY_STRING..{.. *Type: ATTRIBUTE.. *ValueType: GPD_CODEPAGE_STRING.. *Virtual: TRUE..}........*Template: ANSI_STRING..{.. *Type: ATTRIBUTE.. *ValueType: GPD_NORMAL_STRING.. *Virtual: TRUE..}....*Template: DEF_CP_STRING..{.. *Type: ATTRIBUTE.. *ValueType: GPD_DEFAULT_CODEPAGE_STRING.. *Virtual: TRUE..}....*% ==================..*% ==== Root Attributes ====..*% ==================....*Template: CODEPAGE..{.. *Name: "*CodePage".. *Type: ATTRIBUTE.. *ValueType: GPD_NONNEG_INTEGER..}....*Template: GPDSPECVERSION..{.. *Name: "*GPDSpecVersion".. *Inherits: ANSI_STRING..}....*Template: GPDFILEVERSION..{.. *Name: "*GPDFileVersion".. *Inhe

                                                                                                                                                                                  C:\Windows\System32\spool\drivers\x64\stdschmx.gdl

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):2278
                                                                                                                                                                                  Entropy (8bit):4.581866117244519
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:24:IO673u+3WSnMVfIPQMAPFq+AP3hM927Kc509OD8jQV0Ucn05NKYKd5NK3Kr59:IB7zmrAPMtc6927e9OQEV2EPSQg/
                                                                                                                                                                                  MD5:932F57E78976810729855CD1B5CCD8EF
                                                                                                                                                                                  SHA1:50D7145076D422C03B924DD16EA237AC9B822F0E
                                                                                                                                                                                  SHA-256:3B9BE4E69B022DE9D0E30EDE70F292F3DF55AB7BE36F134BF2D37A7039937D19
                                                                                                                                                                                  SHA-512:023848F6CE826EB040EA90C8319BBF1AC26E16B66BD9470E197B3A02DAE00AE9A177996E6B069F42BC54FBF28AE7F96CCC10CF331C13B54CCF12990311F30D73
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:*% stdschx.gdl..*% this file defines the parts of the schema that are dependent on..*% preprocessor defines.....*% Since this header relies on passed in Preprocessor defines, it must not be PreCompiled...*PreCompiled: FALSE....*Include: "stdschem.gdl"....*Ifdef: WINNT_50.. *% and above .......*Template: PRINTRATEUNIT..{.. *Name: "*PrintRateUnit".. *Type: ATTRIBUTE.. *ValueType: EDT_PRINTRATEUNIT..}..*Template: PREDEFINED_PAPERSIZE_OPTION_2 *% Additional papersizes.. *% for NT5.0..{.. *Inherits: V_PREDEFINED_PAPERSIZE_OPTION.. *Instances: (.. DBL_JAPANESE_POSTCARD,.. A6,.. JENV_KAKU2,.. JENV_KAKU3,.. JENV_CHOU3,.. JENV_CHOU4,.. LETTER_ROTATED,.. A3_ROTATED,.. A4_ROTATED,.. A5_ROTATED,.. B4_JIS_ROTATED,.. B5_JIS_ROTATED,.. JAPANESE_POSTCARD_ROTATED,.. DBL_JAPANESE_POSTCARD_ROTATED,.. A6_ROTATED,.. JENV_KAKU2_ROTATED,.. JENV_KAKU3_ROTA

                                                                                                                                                                                  C:\Windows\System32\spool\drivers\x64\unidrv.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):532080
                                                                                                                                                                                  Entropy (8bit):6.370246167881384
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:/TIJ/Cq6XA1T9hPGhV9mid49b9spV7LDbTz5w:/UJ/Cq2IT/PiP4dapV7LDtw
                                                                                                                                                                                  MD5:1D574CE34B4086B8440B578497E4BAC6
                                                                                                                                                                                  SHA1:F7C55619F693CC6465B8B877C2F9E533CB84712C
                                                                                                                                                                                  SHA-256:BDCADB517FDB16078F999701B3A59CA75687CDE474F9770DF2E86AE41F9E962A
                                                                                                                                                                                  SHA-512:FB1B70C392A1E292C181C3EB4C072BD56FFFAA6674025FEB86EBDC772C98CC443D8DFC7325C84E19CB41269303D8C583A44841F938F03CC517DD25E68359560F
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^.....c...c...c.......c.....!.c.......c...b...c.......c.......c.......c.=.....c.......c.......c.Rich..c.........PE..d......R.........." .....d..........p........................................0......G.....`.........................................Xp......X....................K......p*... ..h...00..8............................p..................X............................text....c.......d.................. ..`.data................h..............@....pdata...K.......L..................@..@.idata..............................@..@.rsrc...............................@..@.reloc..h.... ......................@..B................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\System32\spool\drivers\x64\unidrvui.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):919664
                                                                                                                                                                                  Entropy (8bit):5.991555850090375
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:uH0ARc8QCfjeDUr73Tx1yfhPXgFQ3Qe5w1lwAAwoTLARTsBqC+Zo:u7Hdv3DyfhP2QgYPwo3ArVo
                                                                                                                                                                                  MD5:816DDBD6F052DEBFCE5B7EEAE4E789FD
                                                                                                                                                                                  SHA1:1DFD070CAE07E271233AF20236831DC58B3BADB6
                                                                                                                                                                                  SHA-256:727FFB5B2BF5BDFFFBD090FD83911F731BB6776571ED1377F2139899709C51F0
                                                                                                                                                                                  SHA-512:6A02DA315AD7E886FDC4C43C0F63409A41735FB409F144DAA04422648E45FA9E7A523CF326612412C96D3E03D451F10A2BDFEB2B6BCAD7A6D8DC474281A5978D
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0.+]Q.x]Q.x]Q.x...x\Q.x...xfQ.x...xMQ.x]Q.x.Q.x...xHQ.x...x\Q.x...x.Q.xz..x\Q.x...x\Q.x...x\Q.xRich]Q.x........................PE..d.....}R.........." .....T..........t........................................ ............`.........................................._..{...............H........1......p*..........0................................................................................text...KR.......T.................. ..`.data....+...p...&...X..............@....pdata...1.......2...~..............@..@.idata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\System32\spool\drivers\x64\unires.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):856688
                                                                                                                                                                                  Entropy (8bit):5.596774833480957
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:r9aBEoNh3bBPc/s4430ye84TF1dbua5TVhRre3kf8IKHgikinL2U:paBEGbL4Np84TQazCSiR2U
                                                                                                                                                                                  MD5:A64216C3C9E82E1C6D0B5CD8020D3ABD
                                                                                                                                                                                  SHA1:5FC65E59EEEE9C5F1682E4EDB4C5D9EF69FCED88
                                                                                                                                                                                  SHA-256:56DA81C0EABE8505A96A41BA69A3DB13F30E247C39B1393CFE65C9578E47A9EC
                                                                                                                                                                                  SHA-512:079CFACC36CF4EA6E24A61B539C1A2EBC04DAE2AC93FE8EC372FA5E8934C9F93BEBC4C47188E7EC95D306ACB0E8A2C3FA2AC8605A378F30AD8C634B457168B83
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........R..3}..3}..3}.H...3}.H...3}.Rich.3}.................PE..d......R.........." ................................................................@.....`.............................................................0...............p*...........................................................................................rsrc...............................@..@.........................................D..8.......P.......................@...........................................r.......s.......t.......u.......v.......w.......x.......y...................................H...............................8.......x...............................................................................0.......H.......................`.......x....................................................... .......8.......P.......h...........................................................

                                                                                                                                                                                  C:\Windows\System32\wfaxport.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                  File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):940144
                                                                                                                                                                                  Entropy (8bit):6.458898363798956
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:12288:5pcIN4eGbIp0dMAonEWorRdvfd+Xu6VrZUcu2jRwzjeL7i8XVbsT3zpf3ygLuITz:5pv2OrkeL+8U3zpvyOuARXwo1
                                                                                                                                                                                  MD5:1DED360B71C4C83EB10B0C08B6597C9E
                                                                                                                                                                                  SHA1:80CC899D7CC2483B01185CD528210A399C76DBDD
                                                                                                                                                                                  SHA-256:D9B43DF509EE41A62E74241A541723E309FA5A4470E3132E7DD2C54314DF4E2D
                                                                                                                                                                                  SHA-512:45616968A18B7789F9256CFD7E2023D6644A34B5F29ADF138E058BBDCDC2231FA3DC37DD28796F85AB1D63E60F9E9C8C010AEE162DAC9031B0E605C463966A78
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........e.<..so..so..so.|pn..so.|vn..so.xwn..so.xpn..so.xvn..so.|wn..so.|un..so.|rn..so..ro..socxwn..socxvn..socxsn..socx.o..socxqn..soRich..so........PE..d...H.tg.........." ..."..................................................................`..........................................5..p...`6.......`..p........~......p*...p..l.......T.......................(.......@...............p............................text.............................. ..`.rdata..............................@..@.data...4x...P...X...:..............@....pdata...~..........................@..@_RDATA..\....P......................@..@.rsrc...p....`......................@..@.reloc..l....p......................@..B........................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\nseA5F.tmp\System.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):12288
                                                                                                                                                                                  Entropy (8bit):5.814115788739565
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                                                                                                                                                                  MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                                                                                                                                  SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                                                                                                                                  SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                                                                                                                                  SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\nseA5F.tmp\nsExec.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7168
                                                                                                                                                                                  Entropy (8bit):5.298362543684714
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                                                                                                                                                                                  MD5:675C4948E1EFC929EDCABFE67148EDDD
                                                                                                                                                                                  SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                                                                                                                                                                                  SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                                                                                                                                                                                  SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\nstA20.tmp\System.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):12288
                                                                                                                                                                                  Entropy (8bit):5.814115788739565
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:192:Zjvco0qWTlt70m5Aj/lQ0sEWD/wtYbBHFNaDybC7y+XBz0QPi:FHQlt70mij/lQRv/9VMjzr
                                                                                                                                                                                  MD5:CFF85C549D536F651D4FB8387F1976F2
                                                                                                                                                                                  SHA1:D41CE3A5FF609DF9CF5C7E207D3B59BF8A48530E
                                                                                                                                                                                  SHA-256:8DC562CDA7217A3A52DB898243DE3E2ED68B80E62DDCB8619545ED0B4E7F65A8
                                                                                                                                                                                  SHA-512:531D6328DAF3B86D85556016D299798FA06FEFC81604185108A342D000E203094C8C12226A12BD6E1F89B0DB501FB66F827B610D460B933BD4AB936AC2FD8A88
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr*.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L.....Oa...........!....."...........*.......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  C:\Windows\Temp\nstA20.tmp\nsExec.dll

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7168
                                                                                                                                                                                  Entropy (8bit):5.298362543684714
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:96:J9zdzBzMDByZtr/HDQIUIq9m6v6vBckzu9wSBpLEgvElHlernNQaSGYuH2DQ:JykDr/HA5v6G2IElFernNQZGdHW
                                                                                                                                                                                  MD5:675C4948E1EFC929EDCABFE67148EDDD
                                                                                                                                                                                  SHA1:F5BDD2C4329ED2732ECFE3423C3CC482606EB28E
                                                                                                                                                                                  SHA-256:1076CA39C449ED1A968021B76EF31F22A5692DFAFEEA29460E8D970A63C59906
                                                                                                                                                                                  SHA-512:61737021F86F54279D0A4E35DB0D0808E9A55D89784A31D597F2E4B65B7BBEEC99AA6C79D65258259130EEDA2E5B2820F4F1247777A3010F2DC53E30C612A683
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,.................Rich...........................PE..L.....Oa...........!......................... ...............................P............@..........................$..l.... ..P............................@....................................................... ...............................text............................... ..`.rdata..<.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                  \Device\ConDrv

                                                                                                                                                                                  Download File
                                                                                                                                                                                  Process:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                  Category:dropped
                                                                                                                                                                                  Size (bytes):7
                                                                                                                                                                                  Entropy (8bit):2.2359263506290326
                                                                                                                                                                                  Encrypted:false
                                                                                                                                                                                  SSDEEP:3:t:t
                                                                                                                                                                                  MD5:F1CA165C0DA831C9A17D08C4DECBD114
                                                                                                                                                                                  SHA1:D750F8260312A40968458169B496C40DACC751CA
                                                                                                                                                                                  SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                                                                                                                                                                                  SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                                                                                                                                                                                  Malicious:false
                                                                                                                                                                                  Preview:Ok.....

                                                                                                                                                                                  Static File Info

                                                                                                                                                                                  General

                                                                                                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                                                  Entropy (8bit):7.999108240757062
                                                                                                                                                                                  TrID:
                                                                                                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                                                                  File name:Collaboration-x64.exe
                                                                                                                                                                                  File size:104'457'632 bytes
                                                                                                                                                                                  MD5:335fe577cfcd7c2e3d62ca7ae6c92b8f
                                                                                                                                                                                  SHA1:e025f1c339ac4f39134283cb7dff0a2b48e5be6b
                                                                                                                                                                                  SHA256:7b999bd912a71a10f056eb8052a0475efdff781a15b94606138c6525c60665cb
                                                                                                                                                                                  SHA512:9b26716ae526e67675eca053a4a8c066de26d0c3c710f646d005cea722b44d11b4686d6ba21cd45b92fded415fd24660a0e24cda8493281e9af5f5d9fc480fb1
                                                                                                                                                                                  SSDEEP:3145728:/bTm4vIutyYJo+sUifl1YK/trs1goiLWMKm+KdnF:TC4noYJox19/3zLWMKBcF
                                                                                                                                                                                  TLSH:093833685AB0813FF8169B35613807D9913BADFC9A3ACE531418F3D8FB332E0654A597
                                                                                                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf.*_9..Pf..Pg.LPf.*_;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L......\.................h...8...@.

                                                                                                                                                                                  File Icon

                                                                                                                                                                                  Icon Hash:1361acaa96d4610f

                                                                                                                                                                                  Static PE Info

                                                                                                                                                                                  General

                                                                                                                                                                                  Entrypoint:0x40338f
                                                                                                                                                                                  Entrypoint Section:.text
                                                                                                                                                                                  Digitally signed:true
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  Subsystem:windows gui
                                                                                                                                                                                  Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                                                                                                  Time Stamp:0x5C157F86 [Sat Dec 15 22:26:14 2018 UTC]
                                                                                                                                                                                  TLS Callbacks:
                                                                                                                                                                                  CLR (.Net) Version:
                                                                                                                                                                                  OS Version Major:4
                                                                                                                                                                                  OS Version Minor:0
                                                                                                                                                                                  File Version Major:4
                                                                                                                                                                                  File Version Minor:0
                                                                                                                                                                                  Subsystem Version Major:4
                                                                                                                                                                                  Subsystem Version Minor:0
                                                                                                                                                                                  Import Hash:b34f154ec913d2d2c435cbd644e91687

                                                                                                                                                                                  Authenticode Signature

                                                                                                                                                                                  Signature Valid:true
                                                                                                                                                                                  Signature Issuer:CN=Certum Extended Validation Code Signing 2021 CA, O=Asseco Data Systems S.A., C=PL
                                                                                                                                                                                  Signature Validation Error:The operation completed successfully
                                                                                                                                                                                  Error Number:0
                                                                                                                                                                                  Not Before, Not After
                                                                                                                                                                                  • 08/11/2024 02:02:16 08/11/2027 02:02:15
                                                                                                                                                                                  Subject Chain
                                                                                                                                                                                  • CN=Wildix O\xdc, O=Wildix O\xdc, STREET="Laeva tn., 2", PostalCode=10111, L=Tallinn, S=Harju maakond, C=EE, SERIALNUMBER=12915667, OID.1.3.6.1.4.1.311.60.2.1.1=Tartu, OID.1.3.6.1.4.1.311.60.2.1.2=Tartu maakond, OID.1.3.6.1.4.1.311.60.2.1.3=EE, OID.2.5.4.15=Private Organization
                                                                                                                                                                                  Version:3
                                                                                                                                                                                  Thumbprint MD5:8D242122DFF67487607F2D0420C749C0
                                                                                                                                                                                  Thumbprint SHA-1:2DA714C0EA5669329B9CB729381362B9741E2F0F
                                                                                                                                                                                  Thumbprint SHA-256:BB6DCF27CB6D1C9AA885B52FEF8532723B899FC11E7527553389E40571B11117
                                                                                                                                                                                  Serial:7625A04AF8C3CA38783A5126728CA6F5

                                                                                                                                                                                  Entrypoint Preview

                                                                                                                                                                                  Instruction
                                                                                                                                                                                  sub esp, 000002D4h
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  push esi
                                                                                                                                                                                  push edi
                                                                                                                                                                                  push 00000020h
                                                                                                                                                                                  pop edi
                                                                                                                                                                                  xor ebx, ebx
                                                                                                                                                                                  push 00008001h
                                                                                                                                                                                  mov dword ptr [esp+14h], ebx
                                                                                                                                                                                  mov dword ptr [esp+10h], 0040A2E0h
                                                                                                                                                                                  mov dword ptr [esp+1Ch], ebx
                                                                                                                                                                                  call dword ptr [004080A8h]
                                                                                                                                                                                  call dword ptr [004080A4h]
                                                                                                                                                                                  and eax, BFFFFFFFh
                                                                                                                                                                                  cmp ax, 00000006h
                                                                                                                                                                                  mov dword ptr [0047AEECh], eax
                                                                                                                                                                                  je 00007F590CCA8943h
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  call 00007F590CCABBF5h
                                                                                                                                                                                  cmp eax, ebx
                                                                                                                                                                                  je 00007F590CCA8939h
                                                                                                                                                                                  push 00000C00h
                                                                                                                                                                                  call eax
                                                                                                                                                                                  mov esi, 004082B0h
                                                                                                                                                                                  push esi
                                                                                                                                                                                  call 00007F590CCABB6Fh
                                                                                                                                                                                  push esi
                                                                                                                                                                                  call dword ptr [00408150h]
                                                                                                                                                                                  lea esi, dword ptr [esi+eax+01h]
                                                                                                                                                                                  cmp byte ptr [esi], 00000000h
                                                                                                                                                                                  jne 00007F590CCA891Ch
                                                                                                                                                                                  push 0000000Ah
                                                                                                                                                                                  call 00007F590CCABBC8h
                                                                                                                                                                                  push 00000008h
                                                                                                                                                                                  call 00007F590CCABBC1h
                                                                                                                                                                                  push 00000006h
                                                                                                                                                                                  mov dword ptr [0047AEE4h], eax
                                                                                                                                                                                  call 00007F590CCABBB5h
                                                                                                                                                                                  cmp eax, ebx
                                                                                                                                                                                  je 00007F590CCA8941h
                                                                                                                                                                                  push 0000001Eh
                                                                                                                                                                                  call eax
                                                                                                                                                                                  test eax, eax
                                                                                                                                                                                  je 00007F590CCA8939h
                                                                                                                                                                                  or byte ptr [0047AEEFh], 00000040h
                                                                                                                                                                                  push ebp
                                                                                                                                                                                  call dword ptr [00408044h]
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  call dword ptr [004082A0h]
                                                                                                                                                                                  mov dword ptr [0047AFB8h], eax
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  lea eax, dword ptr [esp+34h]
                                                                                                                                                                                  push 000002B4h
                                                                                                                                                                                  push eax
                                                                                                                                                                                  push ebx
                                                                                                                                                                                  push 00440208h
                                                                                                                                                                                  call dword ptr [00408188h]
                                                                                                                                                                                  push 0040A2C8h

                                                                                                                                                                                  Rich Headers

                                                                                                                                                                                  Programming Language:
                                                                                                                                                                                  • [EXP] VC++ 6.0 SP5 build 8804

                                                                                                                                                                                  Data Directories

                                                                                                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x86100xa0.rdata
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x19f0000x5c8e8.rsrc
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x63992880x5318
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2b0.rdata
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                                                                  Sections

                                                                                                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                                                                  .text0x10000x66270x68007618d4c0cd8bb67ea9595b4266b3a91fFalse0.6646259014423077data6.450282348506287IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                                                                                                  .rdata0x80000x14a20x1600eecac1fed9cc6b447d50940d178404d8False0.4405184659090909data5.025178929113415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                                                                  .data0xa0000x70ff80x600db8f31a08a2242d80c29e1f9500c6527False0.5182291666666666data4.037117731448378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                  .ndata0x7b0000x1240000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                                                                  .rsrc0x19f0000x5c8e80x5ca00a25e41886483ff1ac2dc440641bf81ebFalse0.1160883729757085data2.731818245670535IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                                                                                                                                                  Resources

                                                                                                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                                                                  RT_ICON0x19f5980x42028Device independent bitmap graphic, 256 x 512 x 32, image size 262144EnglishUnited States0.09041482971861407
                                                                                                                                                                                  RT_ICON0x1e15c00x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536EnglishUnited States0.14447533420087544
                                                                                                                                                                                  RT_ICON0x1f1de80x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384EnglishUnited States0.2112659423712801
                                                                                                                                                                                  RT_ICON0x1f60100x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216EnglishUnited States0.26441908713692946
                                                                                                                                                                                  RT_ICON0x1f85b80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096EnglishUnited States0.36890243902439024
                                                                                                                                                                                  RT_ICON0x1f96600x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024EnglishUnited States0.5726950354609929
                                                                                                                                                                                  RT_DIALOG0x1f9ac80x202dataEnglishUnited States0.4085603112840467
                                                                                                                                                                                  RT_DIALOG0x1f9cd00xf8dataEnglishUnited States0.6290322580645161
                                                                                                                                                                                  RT_DIALOG0x1f9dc80xeedataEnglishUnited States0.6260504201680672
                                                                                                                                                                                  RT_DIALOG0x1f9eb80x1fadataEnglishUnited States0.40118577075098816
                                                                                                                                                                                  RT_DIALOG0x1fa0b80xf0dataEnglishUnited States0.6666666666666666
                                                                                                                                                                                  RT_DIALOG0x1fa1a80xe6dataEnglishUnited States0.6565217391304348
                                                                                                                                                                                  RT_DIALOG0x1fa2900x1eedataEnglishUnited States0.38866396761133604
                                                                                                                                                                                  RT_DIALOG0x1fa4800xe4dataEnglishUnited States0.6447368421052632
                                                                                                                                                                                  RT_DIALOG0x1fa5680xdadataEnglishUnited States0.6422018348623854
                                                                                                                                                                                  RT_DIALOG0x1fa6480x1eedataEnglishUnited States0.3866396761133603
                                                                                                                                                                                  RT_DIALOG0x1fa8380xe4dataEnglishUnited States0.6359649122807017
                                                                                                                                                                                  RT_DIALOG0x1fa9200xdadataEnglishUnited States0.6376146788990825
                                                                                                                                                                                  RT_DIALOG0x1faa000x1f2dataEnglishUnited States0.39759036144578314
                                                                                                                                                                                  RT_DIALOG0x1fabf80xe8dataEnglishUnited States0.6508620689655172
                                                                                                                                                                                  RT_DIALOG0x1face00xdedataEnglishUnited States0.6486486486486487
                                                                                                                                                                                  RT_DIALOG0x1fadc00x202dataEnglishUnited States0.42217898832684825
                                                                                                                                                                                  RT_DIALOG0x1fafc80xf8dataEnglishUnited States0.6653225806451613
                                                                                                                                                                                  RT_DIALOG0x1fb0c00xeedataEnglishUnited States0.6512605042016807
                                                                                                                                                                                  RT_GROUP_ICON0x1fb1b00x5adataEnglishUnited States0.7666666666666667
                                                                                                                                                                                  RT_VERSION0x1fb2100x2a8dataEnglishUnited States0.4602941176470588
                                                                                                                                                                                  RT_MANIFEST0x1fb4b80x42eXML 1.0 document, ASCII text, with very long lines (1070), with no line terminatorsEnglishUnited States0.5130841121495328

                                                                                                                                                                                  Imports

                                                                                                                                                                                  DLLImport
                                                                                                                                                                                  KERNEL32.dllSetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
                                                                                                                                                                                  USER32.dllGetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
                                                                                                                                                                                  GDI32.dllSelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
                                                                                                                                                                                  SHELL32.dllSHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
                                                                                                                                                                                  ADVAPI32.dllAdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
                                                                                                                                                                                  COMCTL32.dllImageList_Create, ImageList_AddMasked, ImageList_Destroy
                                                                                                                                                                                  ole32.dllOleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

                                                                                                                                                                                  Possible Origin

                                                                                                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                                                                                                  EnglishUnited States

                                                                                                                                                                                  Network Behavior

                                                                                                                                                                                  Network Port Distribution

                                                                                                                                                                                  TCP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Jan 13, 2025 17:22:05.201447010 CET6470953192.168.2.71.1.1.1
                                                                                                                                                                                  Jan 13, 2025 17:22:05.206254959 CET53647091.1.1.1192.168.2.7
                                                                                                                                                                                  Jan 13, 2025 17:22:05.207365036 CET6470953192.168.2.71.1.1.1
                                                                                                                                                                                  Jan 13, 2025 17:22:05.212230921 CET53647091.1.1.1192.168.2.7
                                                                                                                                                                                  Jan 13, 2025 17:22:05.653438091 CET6470953192.168.2.71.1.1.1
                                                                                                                                                                                  Jan 13, 2025 17:22:05.658801079 CET53647091.1.1.1192.168.2.7
                                                                                                                                                                                  Jan 13, 2025 17:22:05.658870935 CET6470953192.168.2.71.1.1.1

                                                                                                                                                                                  UDP Packets

                                                                                                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                  Jan 13, 2025 17:21:43.751075983 CET4963553192.168.2.71.1.1.1
                                                                                                                                                                                  Jan 13, 2025 17:22:05.200335026 CET53545691.1.1.1192.168.2.7
                                                                                                                                                                                  Jan 13, 2025 17:22:58.924043894 CET5035253192.168.2.71.1.1.1
                                                                                                                                                                                  Jan 13, 2025 17:22:58.941128969 CET53503521.1.1.1192.168.2.7
                                                                                                                                                                                  Jan 13, 2025 17:23:03.841459990 CET5635853192.168.2.71.1.1.1

                                                                                                                                                                                  DNS Queries

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                  Jan 13, 2025 17:21:43.751075983 CET192.168.2.71.1.1.10xa2aStandard query (0)time.windows.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Jan 13, 2025 17:22:58.924043894 CET192.168.2.71.1.1.10x371aStandard query (0)feedback.wildix.comA (IP address)IN (0x0001)false
                                                                                                                                                                                  Jan 13, 2025 17:23:03.841459990 CET192.168.2.71.1.1.10x5525Standard query (0)crt.sectigo.comA (IP address)IN (0x0001)false

                                                                                                                                                                                  DNS Answers

                                                                                                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                  Jan 13, 2025 17:21:43.757708073 CET1.1.1.1192.168.2.70xa2aNo error (0)time.windows.comtwc.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                  Jan 13, 2025 17:22:58.941128969 CET1.1.1.1192.168.2.70x371aNo error (0)feedback.wildix.com3.126.89.4A (IP address)IN (0x0001)false
                                                                                                                                                                                  Jan 13, 2025 17:22:58.941128969 CET1.1.1.1192.168.2.70x371aNo error (0)feedback.wildix.com52.58.254.151A (IP address)IN (0x0001)false
                                                                                                                                                                                  Jan 13, 2025 17:23:03.849114895 CET1.1.1.1192.168.2.70x5525No error (0)crt.sectigo.comcrt.comodoca.com.cdn.cloudflare.netCNAME (Canonical name)IN (0x0001)false

                                                                                                                                                                                  Statistics

                                                                                                                                                                                  CPU Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  Memory Usage

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  High Level Behavior Distribution

                                                                                                                                                                                  Click to dive into process behavior distribution

                                                                                                                                                                                  Behavior

                                                                                                                                                                                  Click to jump to process

                                                                                                                                                                                  System Behavior

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:0
                                                                                                                                                                                  Start time:11:21:40
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Users\user\Desktop\Collaboration-x64.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Users\user\Desktop\Collaboration-x64.exe"
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:104'457'632 bytes
                                                                                                                                                                                  MD5 hash:335FE577CFCD7C2E3D62CA7AE6C92B8F
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:2
                                                                                                                                                                                  Start time:11:21:42
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\svchost.exe -k LocalService -s W32Time
                                                                                                                                                                                  Imagebase:0x7ff7b4ee0000
                                                                                                                                                                                  File size:55'320 bytes
                                                                                                                                                                                  MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:false
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:5
                                                                                                                                                                                  Start time:13:18:33
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\netsh.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:netsh advfirewall firewall add rule name="Wildix Collaboration" dir=in action=allow program="C:\Program Files\Wildix Collaboration\Wildix Collaboration.exe" enable=yes
                                                                                                                                                                                  Imagebase:0x1770000
                                                                                                                                                                                  File size:82'432 bytes
                                                                                                                                                                                  MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:6
                                                                                                                                                                                  Start time:13:18:33
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:7
                                                                                                                                                                                  Start time:13:18:34
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:"C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:25'539'800 bytes
                                                                                                                                                                                  MD5 hash:A7046C3136192E6E7B5180728B3B3B49
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:low
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:9
                                                                                                                                                                                  Start time:13:18:34
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:10
                                                                                                                                                                                  Start time:13:18:34
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:11
                                                                                                                                                                                  Start time:13:18:34
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:12
                                                                                                                                                                                  Start time:13:18:35
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:13
                                                                                                                                                                                  Start time:13:18:35
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:14
                                                                                                                                                                                  Start time:13:18:35
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Reputation:high
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:15
                                                                                                                                                                                  Start time:13:18:35
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WIService.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:16
                                                                                                                                                                                  Start time:13:18:35
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:17
                                                                                                                                                                                  Start time:13:18:35
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WIService.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:18
                                                                                                                                                                                  Start time:13:18:36
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S /updateRecovery=true
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:25'539'800 bytes
                                                                                                                                                                                  MD5 hash:A7046C3136192E6E7B5180728B3B3B49
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:19
                                                                                                                                                                                  Start time:13:18:36
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WIui.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:20
                                                                                                                                                                                  Start time:13:18:36
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Users\user\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S
                                                                                                                                                                                  Imagebase:0x400000
                                                                                                                                                                                  File size:25'539'800 bytes
                                                                                                                                                                                  MD5 hash:A7046C3136192E6E7B5180728B3B3B49
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:21
                                                                                                                                                                                  Start time:13:18:36
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:22
                                                                                                                                                                                  Start time:13:18:36
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WIui.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:23
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM wirtpproxy.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:24
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:25
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM wirtpproxy.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:26
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C schtasks /delete /TN "Wildix\WIService failed update recovery" /F
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:27
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:28
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM wiservice-ui.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:29
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:30
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:31
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:32
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM wiservice-ui.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:33
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:schtasks /delete /TN "Wildix\WIService failed update recovery" /F
                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:34
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:schtasks /create /SC HOURLY /TN "Wildix\WIService failed update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S /updateRecovery=true" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:35
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:36
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:37
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM vncsrv.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:38
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:39
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:40
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:41
                                                                                                                                                                                  Start time:13:18:37
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM vncsrv.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:42
                                                                                                                                                                                  Start time:13:18:38
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:43
                                                                                                                                                                                  Start time:13:18:38
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:schtasks /create /SC ONSTART /TN "Wildix\WIService update recovery" /TR "'C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe' /S" /RU SYSTEM /RL HIGHEST /F
                                                                                                                                                                                  Imagebase:0x380000
                                                                                                                                                                                  File size:187'904 bytes
                                                                                                                                                                                  MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:44
                                                                                                                                                                                  Start time:13:18:38
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookIntegration.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:45
                                                                                                                                                                                  Start time:13:18:38
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:46
                                                                                                                                                                                  Start time:13:18:38
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WIService.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:47
                                                                                                                                                                                  Start time:13:18:38
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:48
                                                                                                                                                                                  Start time:13:18:38
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookIntegration.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:49
                                                                                                                                                                                  Start time:13:18:38
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WIService.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:50
                                                                                                                                                                                  Start time:13:18:38
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:51
                                                                                                                                                                                  Start time:13:18:39
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WIService.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:52
                                                                                                                                                                                  Start time:13:18:39
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WIService.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:53
                                                                                                                                                                                  Start time:13:18:38
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookSync32.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:54
                                                                                                                                                                                  Start time:13:18:39
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:55
                                                                                                                                                                                  Start time:13:18:39
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookSync32.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:56
                                                                                                                                                                                  Start time:13:18:40
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookSync64.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:57
                                                                                                                                                                                  Start time:13:18:40
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:58
                                                                                                                                                                                  Start time:13:18:40
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookSync64.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:59
                                                                                                                                                                                  Start time:13:18:40
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WIui.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:60
                                                                                                                                                                                  Start time:13:18:40
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:61
                                                                                                                                                                                  Start time:13:18:40
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WIui.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:62
                                                                                                                                                                                  Start time:13:18:40
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:63
                                                                                                                                                                                  Start time:13:18:40
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WIui.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:64
                                                                                                                                                                                  Start time:13:18:40
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WIui.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:65
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM wirtpproxy.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:66
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM wirtpproxy.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:67
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:68
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:69
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM wirtpproxy.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:70
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM wirtpproxy.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:71
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM wiservice-ui.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:72
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM wiservice-ui.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:73
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:74
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:75
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM wiservice-ui.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:76
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM wiservice-ui.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:77
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM vncsrv.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:78
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM vncsrv.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:79
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:80
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:81
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM vncsrv.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:82
                                                                                                                                                                                  Start time:13:18:41
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM vncsrv.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:83
                                                                                                                                                                                  Start time:13:18:43
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookIntegration.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:84
                                                                                                                                                                                  Start time:13:18:43
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookIntegration.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:85
                                                                                                                                                                                  Start time:13:18:43
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:86
                                                                                                                                                                                  Start time:13:18:43
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:87
                                                                                                                                                                                  Start time:13:18:43
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookIntegration.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:88
                                                                                                                                                                                  Start time:13:18:43
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookIntegration.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:89
                                                                                                                                                                                  Start time:13:18:43
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookSync32.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:90
                                                                                                                                                                                  Start time:13:18:44
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookSync32.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:91
                                                                                                                                                                                  Start time:13:18:44
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:92
                                                                                                                                                                                  Start time:13:18:44
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:93
                                                                                                                                                                                  Start time:13:18:44
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookSync32.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:94
                                                                                                                                                                                  Start time:13:18:44
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookSync32.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:97
                                                                                                                                                                                  Start time:13:18:45
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookSync64.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:98
                                                                                                                                                                                  Start time:13:18:45
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:"C:\Program Files\Wildix\WIService\wiservice.exe" --install_faxprinter
                                                                                                                                                                                  Imagebase:0x7ff6b2500000
                                                                                                                                                                                  File size:16'788'080 bytes
                                                                                                                                                                                  MD5 hash:D62710F3678538E483FFC7EA112D7F68
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Antivirus matches:
                                                                                                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:99
                                                                                                                                                                                  Start time:13:18:45
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:cmd /C taskkill /F /IM WildixOutlookSync64.exe
                                                                                                                                                                                  Imagebase:0x410000
                                                                                                                                                                                  File size:236'544 bytes
                                                                                                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:100
                                                                                                                                                                                  Start time:13:18:45
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:101
                                                                                                                                                                                  Start time:13:18:45
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff75da10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:102
                                                                                                                                                                                  Start time:13:18:45
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                                  Commandline:taskkill /F /IM WildixOutlookSync64.exe
                                                                                                                                                                                  Imagebase:0xdc0000
                                                                                                                                                                                  File size:74'240 bytes
                                                                                                                                                                                  MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:true

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:115
                                                                                                                                                                                  Start time:13:18:48
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:120
                                                                                                                                                                                  Start time:13:18:48
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:125
                                                                                                                                                                                  Start time:13:18:49
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:129
                                                                                                                                                                                  Start time:13:18:49
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:135
                                                                                                                                                                                  Start time:13:18:49
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:139
                                                                                                                                                                                  Start time:13:18:49
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff6fee10000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:149
                                                                                                                                                                                  Start time:13:18:49
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:155
                                                                                                                                                                                  Start time:13:18:50
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:160
                                                                                                                                                                                  Start time:13:18:50
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:173
                                                                                                                                                                                  Start time:13:18:51
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:227
                                                                                                                                                                                  Start time:13:18:53
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:237
                                                                                                                                                                                  Start time:13:18:54
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:244
                                                                                                                                                                                  Start time:13:18:55
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:264
                                                                                                                                                                                  Start time:13:18:56
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:269
                                                                                                                                                                                  Start time:13:18:57
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:288
                                                                                                                                                                                  Start time:13:19:00
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:317
                                                                                                                                                                                  Start time:13:19:01
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:330
                                                                                                                                                                                  Start time:13:19:02
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  General

                                                                                                                                                                                  Target ID:355
                                                                                                                                                                                  Start time:13:19:03
                                                                                                                                                                                  Start date:13/01/2025
                                                                                                                                                                                  Path:C:\Windows\System32\Conhost.exe
                                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                  Imagebase:0x7ff644d60000
                                                                                                                                                                                  File size:862'208 bytes
                                                                                                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                  Has elevated privileges:
                                                                                                                                                                                  Has administrator privileges:
                                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                                  Has exited:false

                                                                                                                                                                                  Disassembly

                                                                                                                                                                                  Reset < >

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:8.7%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                    Signature Coverage:17.5%
                                                                                                                                                                                    Total number of Nodes:1264
                                                                                                                                                                                    Total number of Limit Nodes:66
                                                                                                                                                                                    execution_graph 8273 401941 8274 401943 8273->8274 8279 402c41 8274->8279 8280 402c4d 8279->8280 8324 4062dc 8280->8324 8283 401948 8285 4059cc 8283->8285 8366 405c97 8285->8366 8288 4059f4 DeleteFileW 8290 401951 8288->8290 8289 405a0b 8292 405b2b 8289->8292 8380 4062ba lstrcpynW 8289->8380 8292->8290 8409 4065fd FindFirstFileW 8292->8409 8293 405a31 8294 405a44 8293->8294 8295 405a37 lstrcatW 8293->8295 8381 405bdb lstrlenW 8294->8381 8296 405a4a 8295->8296 8299 405a5a lstrcatW 8296->8299 8301 405a65 lstrlenW FindFirstFileW 8296->8301 8299->8301 8301->8292 8309 405a87 8301->8309 8302 405b54 8412 405b8f lstrlenW CharPrevW 8302->8412 8305 405b0e FindNextFileW 8308 405b24 FindClose 8305->8308 8305->8309 8306 405984 5 API calls 8310 405b66 8306->8310 8308->8292 8309->8305 8320 405acf 8309->8320 8385 4062ba lstrcpynW 8309->8385 8311 405b80 8310->8311 8312 405b6a 8310->8312 8314 405322 24 API calls 8311->8314 8312->8290 8315 405322 24 API calls 8312->8315 8314->8290 8317 405b77 8315->8317 8316 4059cc 60 API calls 8316->8320 8319 406080 36 API calls 8317->8319 8318 405322 24 API calls 8318->8305 8321 405b7e 8319->8321 8320->8305 8320->8316 8320->8318 8386 405984 8320->8386 8394 405322 8320->8394 8405 406080 MoveFileExW 8320->8405 8321->8290 8337 4062e9 8324->8337 8325 406534 8326 402c6e 8325->8326 8357 4062ba lstrcpynW 8325->8357 8326->8283 8341 40654e 8326->8341 8328 406502 lstrlenW 8328->8337 8329 4062dc 10 API calls 8329->8328 8332 406417 GetSystemDirectoryW 8332->8337 8334 40642a GetWindowsDirectoryW 8334->8337 8335 40654e 5 API calls 8335->8337 8336 4064a5 lstrcatW 8336->8337 8337->8325 8337->8328 8337->8329 8337->8332 8337->8334 8337->8335 8337->8336 8338 40645e SHGetSpecialFolderLocation 8337->8338 8339 4062dc 10 API calls 8337->8339 8350 406188 8337->8350 8355 406201 wsprintfW 8337->8355 8356 4062ba lstrcpynW 8337->8356 8338->8337 8340 406476 SHGetPathFromIDListW CoTaskMemFree 8338->8340 8339->8337 8340->8337 8347 40655b 8341->8347 8342 4065d1 8343 4065d6 CharPrevW 8342->8343 8345 4065f7 8342->8345 8343->8342 8344 4065c4 CharNextW 8344->8342 8344->8347 8345->8283 8347->8342 8347->8344 8348 4065b0 CharNextW 8347->8348 8349 4065bf CharNextW 8347->8349 8362 405bbc 8347->8362 8348->8347 8349->8344 8358 406127 8350->8358 8353 4061ec 8353->8337 8354 4061bc RegQueryValueExW RegCloseKey 8354->8353 8355->8337 8356->8337 8357->8326 8359 406136 8358->8359 8360 40613a 8359->8360 8361 40613f RegOpenKeyExW 8359->8361 8360->8353 8360->8354 8361->8360 8363 405bc2 8362->8363 8364 405bd8 8363->8364 8365 405bc9 CharNextW 8363->8365 8364->8347 8365->8363 8415 4062ba lstrcpynW 8366->8415 8368 405ca8 8416 405c3a CharNextW CharNextW 8368->8416 8371 4059ec 8371->8288 8371->8289 8372 40654e 5 API calls 8378 405cbe 8372->8378 8373 405cef lstrlenW 8374 405cfa 8373->8374 8373->8378 8375 405b8f 3 API calls 8374->8375 8377 405cff GetFileAttributesW 8375->8377 8376 4065fd 2 API calls 8376->8378 8377->8371 8378->8371 8378->8373 8378->8376 8379 405bdb 2 API calls 8378->8379 8379->8373 8380->8293 8382 405be9 8381->8382 8383 405bfb 8382->8383 8384 405bef CharPrevW 8382->8384 8383->8296 8384->8382 8384->8383 8385->8309 8422 405d8b GetFileAttributesW 8386->8422 8389 4059a7 DeleteFileW 8392 4059ad 8389->8392 8390 40599f RemoveDirectoryW 8390->8392 8391 4059b1 8391->8320 8392->8391 8393 4059bd SetFileAttributesW 8392->8393 8393->8391 8395 40533d 8394->8395 8404 4053df 8394->8404 8396 405359 lstrlenW 8395->8396 8397 4062dc 17 API calls 8395->8397 8398 405382 8396->8398 8399 405367 lstrlenW 8396->8399 8397->8396 8401 405395 8398->8401 8402 405388 SetWindowTextW 8398->8402 8400 405379 lstrcatW 8399->8400 8399->8404 8400->8398 8403 40539b SendMessageW SendMessageW SendMessageW 8401->8403 8401->8404 8402->8401 8403->8404 8404->8320 8406 4060a1 8405->8406 8407 406094 8405->8407 8406->8320 8425 405f06 8407->8425 8410 406613 FindClose 8409->8410 8411 405b50 8409->8411 8410->8411 8411->8290 8411->8302 8413 405b5a 8412->8413 8414 405bab lstrcatW 8412->8414 8413->8306 8414->8413 8415->8368 8417 405c57 8416->8417 8419 405c69 8416->8419 8418 405c64 CharNextW 8417->8418 8417->8419 8421 405c8d 8418->8421 8420 405bbc CharNextW 8419->8420 8419->8421 8420->8419 8421->8371 8421->8372 8423 405990 8422->8423 8424 405d9d SetFileAttributesW 8422->8424 8423->8389 8423->8390 8423->8391 8424->8423 8426 405f36 8425->8426 8427 405f5c GetShortPathNameW 8425->8427 8452 405db0 GetFileAttributesW CreateFileW 8426->8452 8429 405f71 8427->8429 8430 40607b 8427->8430 8429->8430 8432 405f79 wsprintfA 8429->8432 8430->8406 8431 405f40 CloseHandle GetShortPathNameW 8431->8430 8433 405f54 8431->8433 8434 4062dc 17 API calls 8432->8434 8433->8427 8433->8430 8435 405fa1 8434->8435 8453 405db0 GetFileAttributesW CreateFileW 8435->8453 8437 405fae 8437->8430 8438 405fbd GetFileSize GlobalAlloc 8437->8438 8439 406074 CloseHandle 8438->8439 8440 405fdf 8438->8440 8439->8430 8454 405e33 ReadFile 8440->8454 8445 406012 8447 405d15 4 API calls 8445->8447 8446 405ffe lstrcpyA 8448 406020 8446->8448 8447->8448 8449 406057 SetFilePointer 8448->8449 8461 405e62 WriteFile 8449->8461 8452->8431 8453->8437 8455 405e51 8454->8455 8455->8439 8456 405d15 lstrlenA 8455->8456 8457 405d56 lstrlenA 8456->8457 8458 405d5e 8457->8458 8459 405d2f lstrcmpiA 8457->8459 8458->8445 8458->8446 8459->8458 8460 405d4d CharNextA 8459->8460 8460->8457 8462 405e80 GlobalFree 8461->8462 8462->8439 8786 401e49 8787 402c1f 17 API calls 8786->8787 8788 401e4f 8787->8788 8789 402c1f 17 API calls 8788->8789 8790 401e5b 8789->8790 8791 401e72 EnableWindow 8790->8791 8792 401e67 ShowWindow 8790->8792 8793 402ac5 8791->8793 8792->8793 9481 403d58 9482 403d70 9481->9482 9483 403eab 9481->9483 9482->9483 9484 403d7c 9482->9484 9485 403efc 9483->9485 9486 403ebc GetDlgItem GetDlgItem 9483->9486 9487 403d87 SetWindowPos 9484->9487 9488 403d9a 9484->9488 9490 403f56 9485->9490 9498 401389 2 API calls 9485->9498 9489 404231 18 API calls 9486->9489 9487->9488 9492 403db7 9488->9492 9493 403d9f ShowWindow 9488->9493 9494 403ee6 SetClassLongW 9489->9494 9491 40427d SendMessageW 9490->9491 9511 403ea6 9490->9511 9520 403f68 9491->9520 9495 403dd9 9492->9495 9496 403dbf DestroyWindow 9492->9496 9493->9492 9497 40140b 2 API calls 9494->9497 9500 403dde SetWindowLongW 9495->9500 9501 403def 9495->9501 9551 4041ba 9496->9551 9497->9485 9499 403f2e 9498->9499 9499->9490 9502 403f32 SendMessageW 9499->9502 9500->9511 9505 403e98 9501->9505 9506 403dfb GetDlgItem 9501->9506 9502->9511 9503 40140b 2 API calls 9503->9520 9504 4041bc DestroyWindow EndDialog 9504->9551 9507 404298 8 API calls 9505->9507 9509 403e2b 9506->9509 9510 403e0e SendMessageW IsWindowEnabled 9506->9510 9507->9511 9508 4041eb ShowWindow 9508->9511 9513 403e38 9509->9513 9514 403e7f SendMessageW 9509->9514 9515 403e4b 9509->9515 9525 403e30 9509->9525 9510->9509 9510->9511 9512 4062dc 17 API calls 9512->9520 9513->9514 9513->9525 9514->9505 9517 403e53 9515->9517 9518 403e68 9515->9518 9516 40420a SendMessageW 9519 403e66 9516->9519 9521 40140b 2 API calls 9517->9521 9522 40140b 2 API calls 9518->9522 9519->9505 9520->9503 9520->9504 9520->9511 9520->9512 9523 404231 18 API calls 9520->9523 9526 404231 18 API calls 9520->9526 9542 4040fc DestroyWindow 9520->9542 9521->9525 9524 403e6f 9522->9524 9523->9520 9524->9505 9524->9525 9525->9516 9527 403fe3 GetDlgItem 9526->9527 9528 404000 ShowWindow KiUserCallbackDispatcher 9527->9528 9529 403ff8 9527->9529 9552 404253 KiUserCallbackDispatcher 9528->9552 9529->9528 9531 40402a EnableWindow 9536 40403e 9531->9536 9532 404043 GetSystemMenu EnableMenuItem SendMessageW 9533 404073 SendMessageW 9532->9533 9532->9536 9533->9536 9535 403d39 18 API calls 9535->9536 9536->9532 9536->9535 9553 404266 SendMessageW 9536->9553 9554 4062ba lstrcpynW 9536->9554 9538 4040a2 lstrlenW 9539 4062dc 17 API calls 9538->9539 9540 4040b8 SetWindowTextW 9539->9540 9541 401389 2 API calls 9540->9541 9541->9520 9543 404116 CreateDialogParamW 9542->9543 9542->9551 9544 404149 9543->9544 9543->9551 9545 404231 18 API calls 9544->9545 9546 404154 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 9545->9546 9547 401389 2 API calls 9546->9547 9548 40419a 9547->9548 9548->9511 9549 4041a2 ShowWindow 9548->9549 9550 40427d SendMessageW 9549->9550 9550->9551 9551->9508 9551->9511 9552->9531 9553->9536 9554->9538 9872 401f58 9873 402c41 17 API calls 9872->9873 9874 401f5f 9873->9874 9875 4065fd 2 API calls 9874->9875 9876 401f65 9875->9876 9878 401f76 9876->9878 9879 406201 wsprintfW 9876->9879 9879->9878 9555 402259 9556 402c41 17 API calls 9555->9556 9557 40225f 9556->9557 9558 402c41 17 API calls 9557->9558 9559 402268 9558->9559 9560 402c41 17 API calls 9559->9560 9561 402271 9560->9561 9562 4065fd 2 API calls 9561->9562 9563 40227a 9562->9563 9564 40228b lstrlenW lstrlenW 9563->9564 9565 40227e 9563->9565 9567 405322 24 API calls 9564->9567 9566 405322 24 API calls 9565->9566 9569 402286 9565->9569 9566->9569 9568 4022c9 SHFileOperationW 9567->9568 9568->9565 9568->9569 9570 40175c 9571 402c41 17 API calls 9570->9571 9572 401763 9571->9572 9573 405ddf 2 API calls 9572->9573 9574 40176a 9573->9574 9575 405ddf 2 API calls 9574->9575 9575->9574 8463 405461 8464 405482 GetDlgItem GetDlgItem GetDlgItem 8463->8464 8465 40560b 8463->8465 8509 404266 SendMessageW 8464->8509 8466 405614 GetDlgItem CreateThread CloseHandle 8465->8466 8467 40563c 8465->8467 8466->8467 8532 4053f5 OleInitialize 8466->8532 8470 405667 8467->8470 8471 405653 ShowWindow ShowWindow 8467->8471 8472 40568c 8467->8472 8469 4054f2 8475 4054f9 GetClientRect GetSystemMetrics SendMessageW SendMessageW 8469->8475 8473 405673 8470->8473 8474 4056c7 8470->8474 8514 404266 SendMessageW 8471->8514 8518 404298 8472->8518 8477 4056a1 ShowWindow 8473->8477 8478 40567b 8473->8478 8474->8472 8482 4056d5 SendMessageW 8474->8482 8480 405567 8475->8480 8481 40554b SendMessageW SendMessageW 8475->8481 8485 4056c1 8477->8485 8486 4056b3 8477->8486 8515 40420a 8478->8515 8488 40557a 8480->8488 8489 40556c SendMessageW 8480->8489 8481->8480 8484 40569a 8482->8484 8490 4056ee CreatePopupMenu 8482->8490 8487 40420a SendMessageW 8485->8487 8491 405322 24 API calls 8486->8491 8487->8474 8510 404231 8488->8510 8489->8488 8492 4062dc 17 API calls 8490->8492 8491->8485 8494 4056fe AppendMenuW 8492->8494 8496 40571b GetWindowRect 8494->8496 8497 40572e TrackPopupMenu 8494->8497 8495 40558a 8498 405593 ShowWindow 8495->8498 8499 4055c7 GetDlgItem SendMessageW 8495->8499 8496->8497 8497->8484 8500 405749 8497->8500 8501 4055b6 8498->8501 8502 4055a9 ShowWindow 8498->8502 8499->8484 8503 4055ee SendMessageW SendMessageW 8499->8503 8504 405765 SendMessageW 8500->8504 8513 404266 SendMessageW 8501->8513 8502->8501 8503->8484 8504->8504 8505 405782 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 8504->8505 8507 4057a7 SendMessageW 8505->8507 8507->8507 8508 4057d0 GlobalUnlock SetClipboardData CloseClipboard 8507->8508 8508->8484 8509->8469 8511 4062dc 17 API calls 8510->8511 8512 40423c SetDlgItemTextW 8511->8512 8512->8495 8513->8499 8514->8470 8516 404211 8515->8516 8517 404217 SendMessageW 8515->8517 8516->8517 8517->8472 8519 40435b 8518->8519 8520 4042b0 GetWindowLongW 8518->8520 8519->8484 8520->8519 8521 4042c5 8520->8521 8521->8519 8522 4042f2 GetSysColor 8521->8522 8523 4042f5 8521->8523 8522->8523 8524 404305 SetBkMode 8523->8524 8525 4042fb SetTextColor 8523->8525 8526 404323 8524->8526 8527 40431d GetSysColor 8524->8527 8525->8524 8528 404334 8526->8528 8529 40432a SetBkColor 8526->8529 8527->8526 8528->8519 8530 404347 DeleteObject 8528->8530 8531 40434e CreateBrushIndirect 8528->8531 8529->8528 8530->8531 8531->8519 8539 40427d 8532->8539 8534 405418 8538 40543f 8534->8538 8542 401389 8534->8542 8535 40427d SendMessageW 8536 405451 OleUninitialize 8535->8536 8538->8535 8540 404295 8539->8540 8541 404286 SendMessageW 8539->8541 8540->8534 8541->8540 8544 401390 8542->8544 8543 4013fe 8543->8534 8544->8543 8545 4013cb MulDiv SendMessageW 8544->8545 8545->8544 10003 401563 10004 402a6b 10003->10004 10007 406201 wsprintfW 10004->10007 10006 402a70 10007->10006 10064 401968 10065 402c1f 17 API calls 10064->10065 10066 40196f 10065->10066 10067 402c1f 17 API calls 10066->10067 10068 40197c 10067->10068 10069 402c41 17 API calls 10068->10069 10070 401993 lstrlenW 10069->10070 10071 4019a4 10070->10071 10072 4019e5 10071->10072 10076 4062ba lstrcpynW 10071->10076 10074 4019d5 10074->10072 10075 4019da lstrlenW 10074->10075 10075->10072 10076->10074 8797 703e1910 8798 703e191f SendDlgItemMessageW 8797->8798 8799 703e1935 CallWindowProcW 8797->8799 8798->8799 10092 703e2110 10093 703e2141 10092->10093 10096 703e1cd0 10093->10096 10097 703e1ce2 10096->10097 10107 703e1fc7 10096->10107 10098 703e1710 19 API calls 10097->10098 10099 703e1d1a 6 API calls 10098->10099 10100 703e1d83 FindWindowExW GetDlgItem 10099->10100 10101 703e1da0 10099->10101 10100->10101 10102 703e1db9 CreateThread 10101->10102 10103 703e1e55 10101->10103 10106 703e1ddc 10102->10106 10102->10107 10119 703e1af0 9 API calls 10102->10119 10104 703e1e5d CreateThread 10103->10104 10105 703e1e96 10103->10105 10104->10107 10108 703e1e81 10104->10108 10120 703e1bd0 14 API calls 10104->10120 10109 703e1f0e 10105->10109 10110 703e1ea4 SetWindowLongW GetWindowPlacement GetClientRect ShowWindow SetWindowPos 10105->10110 10111 703e1de8 Sleep 10106->10111 10112 703e1df2 6 API calls 10106->10112 10113 703e1e89 Sleep 10108->10113 10114 703e1e93 CloseHandle 10108->10114 10116 703e15c0 16 API calls 10109->10116 10115 703e1f99 SetWindowLongW SetWindowPos 10110->10115 10111->10106 10112->10103 10113->10108 10114->10105 10115->10107 10117 703e1f21 10116->10117 10117->10115 10118 703e1f2c 6 API calls 10117->10118 10118->10115 8899 40176f 8900 402c41 17 API calls 8899->8900 8901 401776 8900->8901 8902 401796 8901->8902 8903 40179e 8901->8903 8938 4062ba lstrcpynW 8902->8938 8939 4062ba lstrcpynW 8903->8939 8906 40179c 8910 40654e 5 API calls 8906->8910 8907 4017a9 8908 405b8f 3 API calls 8907->8908 8909 4017af lstrcatW 8908->8909 8909->8906 8912 4017bb 8910->8912 8911 4065fd 2 API calls 8911->8912 8912->8911 8913 405d8b 2 API calls 8912->8913 8915 4017cd CompareFileTime 8912->8915 8916 40188d 8912->8916 8917 401864 8912->8917 8922 4062ba lstrcpynW 8912->8922 8925 4062dc 17 API calls 8912->8925 8937 405db0 GetFileAttributesW CreateFileW 8912->8937 8940 405920 8912->8940 8913->8912 8915->8912 8918 405322 24 API calls 8916->8918 8919 405322 24 API calls 8917->8919 8935 401879 8917->8935 8920 401897 8918->8920 8919->8935 8921 403116 31 API calls 8920->8921 8923 4018aa 8921->8923 8922->8912 8924 4018be SetFileTime 8923->8924 8926 4018d0 CloseHandle 8923->8926 8924->8926 8925->8912 8927 4018e1 8926->8927 8926->8935 8928 4018e6 8927->8928 8929 4018f9 8927->8929 8930 4062dc 17 API calls 8928->8930 8931 4062dc 17 API calls 8929->8931 8932 4018ee lstrcatW 8930->8932 8933 401901 8931->8933 8932->8933 8933->8935 8936 405920 MessageBoxIndirectW 8933->8936 8936->8935 8937->8912 8938->8906 8939->8907 8941 405935 8940->8941 8942 405981 8941->8942 8943 405949 MessageBoxIndirectW 8941->8943 8942->8912 8943->8942 10168 402576 10169 402c41 17 API calls 10168->10169 10170 40257d 10169->10170 10173 405db0 GetFileAttributesW CreateFileW 10170->10173 10172 402589 10173->10172 9401 401b77 9402 401b84 9401->9402 9403 401bc8 9401->9403 9404 401c0d 9402->9404 9410 401b9b 9402->9410 9405 401bf2 GlobalAlloc 9403->9405 9406 401bcd 9403->9406 9408 4062dc 17 API calls 9404->9408 9414 4022f7 9404->9414 9407 4062dc 17 API calls 9405->9407 9406->9414 9420 4062ba lstrcpynW 9406->9420 9407->9404 9409 4022f1 9408->9409 9409->9414 9415 405920 MessageBoxIndirectW 9409->9415 9421 4062ba lstrcpynW 9410->9421 9413 401bdf GlobalFree 9413->9414 9415->9414 9416 401baa 9422 4062ba lstrcpynW 9416->9422 9418 401bb9 9423 4062ba lstrcpynW 9418->9423 9420->9413 9421->9416 9422->9418 9423->9414 8673 402104 8674 402c41 17 API calls 8673->8674 8675 40210b 8674->8675 8676 402c41 17 API calls 8675->8676 8677 402115 8676->8677 8678 402c41 17 API calls 8677->8678 8679 40211f 8678->8679 8680 402c41 17 API calls 8679->8680 8681 402129 8680->8681 8682 402c41 17 API calls 8681->8682 8684 402133 8682->8684 8683 402172 CoCreateInstance 8688 402191 8683->8688 8684->8683 8685 402c41 17 API calls 8684->8685 8685->8683 8686 401423 24 API calls 8687 402250 8686->8687 8688->8686 8688->8687 8758 401f06 8759 402c41 17 API calls 8758->8759 8760 401f0c 8759->8760 8761 405322 24 API calls 8760->8761 8762 401f16 8761->8762 8773 4058a3 CreateProcessW 8762->8773 8765 401f3f CloseHandle 8768 40288b 8765->8768 8769 401f31 8770 401f41 8769->8770 8771 401f36 8769->8771 8770->8765 8781 406201 wsprintfW 8771->8781 8774 401f1c 8773->8774 8775 4058d6 CloseHandle 8773->8775 8774->8765 8774->8768 8776 406745 WaitForSingleObject 8774->8776 8775->8774 8777 40675f 8776->8777 8778 406771 GetExitCodeProcess 8777->8778 8782 4066d0 8777->8782 8778->8769 8781->8765 8783 4066ed PeekMessageW 8782->8783 8784 4066e3 DispatchMessageW 8783->8784 8785 4066fd WaitForSingleObject 8783->8785 8784->8783 8785->8777 10486 40190c 10487 401943 10486->10487 10488 402c41 17 API calls 10487->10488 10489 401948 10488->10489 10490 4059cc 67 API calls 10489->10490 10491 401951 10490->10491 9587 401c1f 9588 402c1f 17 API calls 9587->9588 9589 401c26 9588->9589 9590 402c1f 17 API calls 9589->9590 9591 401c33 9590->9591 9592 401c48 9591->9592 9593 402c41 17 API calls 9591->9593 9594 401c58 9592->9594 9597 402c41 17 API calls 9592->9597 9593->9592 9595 401c63 9594->9595 9596 401caf 9594->9596 9598 402c1f 17 API calls 9595->9598 9599 402c41 17 API calls 9596->9599 9597->9594 9600 401c68 9598->9600 9601 401cb4 9599->9601 9602 402c1f 17 API calls 9600->9602 9603 402c41 17 API calls 9601->9603 9604 401c74 9602->9604 9605 401cbd FindWindowExW 9603->9605 9606 401c81 SendMessageTimeoutW 9604->9606 9607 401c9f SendMessageW 9604->9607 9608 401cdf 9605->9608 9606->9608 9607->9608 8546 6ee11280 8547 6ee112a2 ??2@YAPAXI memset ??2@YAPAXI memset _wsetlocale 8546->8547 8569 6ee13681 8547->8569 8551 6ee13681 2 API calls 8552 6ee11348 8551->8552 8574 6ee135f4 8552->8574 8559 6ee135f4 2 API calls 8560 6ee11369 8559->8560 8561 6ee13616 2 API calls 8560->8561 8562 6ee1136f 8561->8562 8591 6ee136d0 8562->8591 8565 6ee113b0 8566 6ee113e3 8565->8566 8568 6ee113d2 memset ??3@YAXPAX 8565->8568 8567 6ee1139f memset ??3@YAXPAX 8567->8565 8568->8566 8570 6ee11341 8569->8570 8572 6ee1368a 8569->8572 8570->8551 8571 6ee136ba GlobalFree 8571->8570 8572->8570 8572->8571 8573 6ee136a6 lstrcpynW 8572->8573 8573->8571 8575 6ee1134f 8574->8575 8577 6ee13600 8574->8577 8578 6ee13616 8575->8578 8577->8575 8594 6ee135d0 8577->8594 8579 6ee11355 8578->8579 8581 6ee13621 8578->8581 8582 6ee07a42 8579->8582 8580 6ee135d0 2 API calls 8580->8581 8581->8579 8581->8580 8583 6ee07aa6 8582->8583 8584 6ee07a4d 8582->8584 8583->8559 8584->8583 8598 6ee07901 8584->8598 8588 6ee135f4 2 API calls 8589 6ee07a6c 8588->8589 8589->8583 8589->8588 8613 6ee0794c 8589->8613 8592 6ee11378 8591->8592 8593 6ee136d9 GlobalAlloc lstrcpynW 8591->8593 8592->8565 8592->8567 8593->8592 8595 6ee135d5 iswcntrl 8594->8595 8597 6ee135ed 8594->8597 8596 6ee135e1 iswspace 8595->8596 8595->8597 8596->8597 8597->8577 8599 6ee07942 8598->8599 8600 6ee07910 8598->8600 8599->8583 8599->8589 8602 6ee0785a EnterCriticalSection 8599->8602 8600->8599 8601 6ee07923 iswgraph 8600->8601 8601->8599 8601->8600 8603 6ee0787a __wgetmainargs 8602->8603 8612 6ee078db 8602->8612 8604 6ee078a0 GetVersion 8603->8604 8605 6ee078c1 8603->8605 8604->8605 8608 6ee078ef 8604->8608 8605->8608 8609 6ee078ca 8605->8609 8606 6ee078e3 LeaveCriticalSection 8607 6ee078ea 8606->8607 8607->8589 8608->8607 8611 6ee078f6 LeaveCriticalSection 8608->8611 8625 6ee0591f EnterCriticalSection 8609->8625 8611->8607 8612->8606 8612->8607 8614 6ee0795c 8613->8614 8615 6ee07981 iswgraph 8614->8615 8621 6ee07a0f 8614->8621 8616 6ee07994 8615->8616 8615->8621 8617 6ee0799e wcschr 8616->8617 8616->8621 8618 6ee07a16 _wcsicmp 8617->8618 8619 6ee079af 8617->8619 8618->8621 8619->8618 8620 6ee079b4 8619->8620 8620->8621 8622 6ee079d3 _wcsnicmp 8620->8622 8621->8589 8622->8621 8623 6ee079e5 8622->8623 8623->8621 8624 6ee079f5 wcsncpy 8623->8624 8624->8621 8626 6ee05951 abort 8625->8626 8627 6ee0593f 8625->8627 8626->8627 8628 6ee05965 8627->8628 8629 6ee0595e LeaveCriticalSection 8627->8629 8628->8612 8629->8628 9183 402032 9184 402044 9183->9184 9185 4020f6 9183->9185 9186 402c41 17 API calls 9184->9186 9187 401423 24 API calls 9185->9187 9188 40204b 9186->9188 9193 402250 9187->9193 9189 402c41 17 API calls 9188->9189 9190 402054 9189->9190 9191 40206a LoadLibraryExW 9190->9191 9192 40205c GetModuleHandleW 9190->9192 9191->9185 9194 40207b 9191->9194 9192->9191 9192->9194 9209 406703 WideCharToMultiByte 9194->9209 9197 4020c5 9201 405322 24 API calls 9197->9201 9198 40208c 9199 402094 9198->9199 9200 4020ab 9198->9200 9202 401423 24 API calls 9199->9202 9212 6ee121cc 9200->9212 9226 703f1777 9200->9226 9268 703f1272 9200->9268 9271 703f18d9 9200->9271 9203 40209c 9201->9203 9202->9203 9203->9193 9204 4020e8 FreeLibrary 9203->9204 9204->9193 9210 40672d GetProcAddress 9209->9210 9211 402086 9209->9211 9210->9211 9211->9197 9211->9198 9213 6ee121ee ??2@YAPAXI memset ??2@YAPAXI memset _wsetlocale 9212->9213 9215 6ee13681 2 API calls 9213->9215 9217 6ee1228c 9215->9217 9216 6ee136d0 2 API calls 9221 6ee122fe 9216->9221 9224 6ee122de 9217->9224 9277 6ee07b30 9217->9277 9219 6ee12325 memset ??3@YAXPAX 9223 6ee12336 9219->9223 9220 6ee12369 9220->9203 9221->9219 9221->9221 9221->9223 9222 6ee12358 memset ??3@YAXPAX 9222->9220 9223->9220 9223->9222 9223->9223 9224->9216 9225 6ee122ad 9225->9224 9227 703f17aa 9226->9227 9281 703f1b5f 9227->9281 9229 703f17b1 9230 703f18d6 9229->9230 9231 703f17c9 9229->9231 9232 703f17c2 9229->9232 9230->9203 9315 703f2394 9231->9315 9331 703f2352 9232->9331 9237 703f180f 9344 703f2569 9237->9344 9238 703f182d 9243 703f187e 9238->9243 9244 703f1833 9238->9244 9239 703f17df 9242 703f17e5 9239->9242 9248 703f17f0 9239->9248 9240 703f17f8 9255 703f17ee 9240->9255 9341 703f2d37 9240->9341 9242->9255 9325 703f2aac 9242->9325 9246 703f2569 10 API calls 9243->9246 9360 703f15c6 9244->9360 9256 703f186f 9246->9256 9247 703f1815 9355 703f15b4 9247->9355 9335 703f2724 9248->9335 9254 703f2569 10 API calls 9254->9256 9255->9237 9255->9238 9259 703f18c5 9256->9259 9366 703f252c 9256->9366 9258 703f17f6 9258->9255 9259->9230 9261 703f18cf GlobalFree 9259->9261 9260 703f1272 2 API calls 9263 703f1821 GlobalFree 9260->9263 9261->9230 9263->9256 9265 703f18b1 9265->9259 9370 703f153d wsprintfW 9265->9370 9266 703f18aa FreeLibrary 9266->9265 9269 703f127b GlobalAlloc lstrcpynW 9268->9269 9270 703f12b5 9268->9270 9269->9270 9270->9203 9272 703f18fc 9271->9272 9273 703f1931 GlobalFree 9272->9273 9274 703f1943 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 9272->9274 9273->9274 9275 703f1272 2 API calls 9274->9275 9276 703f1ace GlobalFree GlobalFree 9275->9276 9276->9203 9278 6ee07b37 9277->9278 9280 6ee07b54 9277->9280 9279 6ee07b45 GetFullPathNameW 9278->9279 9278->9280 9279->9280 9280->9225 9373 703f121b GlobalAlloc 9281->9373 9283 703f1b83 9374 703f121b GlobalAlloc 9283->9374 9285 703f1da9 GlobalFree GlobalFree GlobalFree 9286 703f1dc6 9285->9286 9299 703f1e10 9285->9299 9288 703f2192 9286->9288 9297 703f1ddb 9286->9297 9286->9299 9287 703f1b8e 9287->9285 9289 703f1c64 GlobalAlloc 9287->9289 9291 703f20ec 9287->9291 9292 703f1ccd GlobalFree 9287->9292 9295 703f1caf lstrcpyW 9287->9295 9296 703f1cb9 lstrcpyW 9287->9296 9287->9299 9303 703f2064 9287->9303 9306 703f1d0b 9287->9306 9307 703f1fa5 GlobalFree 9287->9307 9312 703f122c 2 API calls 9287->9312 9290 703f21b4 GetModuleHandleW 9288->9290 9288->9299 9289->9287 9293 703f21da 9290->9293 9294 703f21c5 LoadLibraryW 9290->9294 9291->9299 9308 703f2134 lstrcpyW 9291->9308 9292->9287 9381 703f161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 9293->9381 9294->9293 9294->9299 9295->9296 9296->9287 9297->9299 9377 703f122c 9297->9377 9299->9229 9301 703f2239 lstrlenW 9382 703f161d WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 9301->9382 9302 703f222c 9302->9299 9302->9301 9380 703f121b GlobalAlloc 9303->9380 9306->9287 9375 703f158f GlobalSize GlobalAlloc 9306->9375 9307->9287 9308->9299 9309 703f2253 9309->9299 9311 703f21ec 9311->9302 9313 703f2216 GetProcAddress 9311->9313 9312->9287 9313->9302 9314 703f206d 9314->9229 9321 703f23ac 9315->9321 9317 703f24d5 GlobalFree 9318 703f17cf 9317->9318 9317->9321 9318->9239 9318->9240 9318->9255 9319 703f247f GlobalAlloc CLSIDFromString 9319->9317 9320 703f2454 GlobalAlloc WideCharToMultiByte 9320->9317 9321->9317 9321->9319 9321->9320 9322 703f122c GlobalAlloc lstrcpynW 9321->9322 9324 703f249e 9321->9324 9384 703f12ba 9321->9384 9322->9321 9324->9317 9388 703f26b8 9324->9388 9327 703f2abe 9325->9327 9326 703f2b63 CreateToolhelp32Snapshot 9330 703f2b81 9326->9330 9327->9326 9329 703f2c4d 9329->9255 9391 703f2a56 9330->9391 9332 703f2367 9331->9332 9333 703f2372 GlobalAlloc 9332->9333 9334 703f17c8 9332->9334 9333->9332 9334->9231 9339 703f2754 9335->9339 9336 703f27ef GlobalAlloc 9340 703f2812 9336->9340 9337 703f2802 9338 703f2808 GlobalSize 9337->9338 9337->9340 9338->9340 9339->9336 9339->9337 9340->9258 9342 703f2d42 9341->9342 9343 703f2d82 GlobalFree 9342->9343 9395 703f121b GlobalAlloc 9344->9395 9346 703f261f lstrcpynW 9351 703f2573 9346->9351 9347 703f260e StringFromGUID2 9347->9351 9348 703f25ec MultiByteToWideChar 9348->9351 9349 703f2656 GlobalFree 9349->9351 9350 703f2632 wsprintfW 9350->9351 9351->9346 9351->9347 9351->9348 9351->9349 9351->9350 9352 703f268b GlobalFree 9351->9352 9353 703f1272 2 API calls 9351->9353 9396 703f12e1 9351->9396 9352->9247 9353->9351 9400 703f121b GlobalAlloc 9355->9400 9357 703f15b9 9358 703f15c6 2 API calls 9357->9358 9359 703f15c3 9358->9359 9359->9260 9361 703f15ff lstrcpyW 9360->9361 9362 703f15d2 wsprintfW 9360->9362 9365 703f1618 9361->9365 9362->9365 9365->9254 9367 703f253a 9366->9367 9369 703f1891 9366->9369 9368 703f2556 GlobalFree 9367->9368 9367->9369 9368->9367 9369->9265 9369->9266 9371 703f1272 2 API calls 9370->9371 9372 703f155e 9371->9372 9372->9259 9373->9283 9374->9287 9376 703f15ad 9375->9376 9376->9306 9383 703f121b GlobalAlloc 9377->9383 9379 703f123b lstrcpynW 9379->9299 9380->9314 9381->9311 9382->9309 9383->9379 9385 703f12c1 9384->9385 9386 703f122c 2 API calls 9385->9386 9387 703f12df 9386->9387 9387->9321 9389 703f271c 9388->9389 9390 703f26c6 VirtualAlloc 9388->9390 9389->9324 9390->9389 9392 703f2a61 9391->9392 9393 703f2a66 GetLastError 9392->9393 9394 703f2a71 9392->9394 9393->9394 9394->9329 9395->9351 9397 703f130c 9396->9397 9398 703f12ea 9396->9398 9397->9351 9398->9397 9399 703f12f0 lstrcpyW 9398->9399 9399->9397 9400->9357 10748 402a35 10749 402c1f 17 API calls 10748->10749 10750 402a3b 10749->10750 10751 402a72 10750->10751 10752 40288b 10750->10752 10754 402a4d 10750->10754 10751->10752 10753 4062dc 17 API calls 10751->10753 10753->10752 10754->10752 10756 406201 wsprintfW 10754->10756 10756->10752 10757 401735 10758 402c41 17 API calls 10757->10758 10759 40173c SearchPathW 10758->10759 10760 401757 10759->10760 10762 4029e6 10759->10762 10760->10762 10763 4062ba lstrcpynW 10760->10763 10763->10762 9424 10001377 9431 1000143a 9424->9431 9432 100013a3 9431->9432 9434 10001443 9431->9434 9436 100010d0 GetVersionExW 9432->9436 9433 10001473 GlobalFree 9433->9432 9434->9432 9434->9433 9435 1000145f lstrcpynW 9434->9435 9435->9433 9437 1000110a 9436->9437 9449 10001100 9436->9449 9438 10001115 9437->9438 9439 1000112c LoadLibraryW 9437->9439 9440 10001227 LoadLibraryA 9438->9440 9438->9449 9441 10001145 GetProcAddress 9439->9441 9448 100011af 9439->9448 9442 1000123f GetProcAddress GetProcAddress GetProcAddress 9440->9442 9440->9449 9443 10001158 LocalAlloc 9441->9443 9444 10001198 9441->9444 9445 1000133a FreeLibrary 9442->9445 9459 1000126e 9442->9459 9447 10001193 9443->9447 9446 100011a4 FreeLibrary 9444->9446 9445->9449 9446->9448 9447->9444 9450 10001166 NtQuerySystemInformation 9447->9450 9448->9449 9451 100011c9 lstrcpynW lstrcmpiW 9448->9451 9453 10001219 LocalFree 9448->9453 9455 100011f9 9448->9455 9462 100014cf wsprintfW 9449->9462 9450->9446 9452 10001179 LocalFree 9450->9452 9451->9448 9452->9444 9454 1000118a LocalAlloc 9452->9454 9453->9449 9454->9447 9455->9448 9465 1000103f OpenProcess 9455->9465 9457 10001333 CloseHandle 9457->9445 9458 100012a8 lstrlenW 9458->9459 9459->9445 9459->9457 9459->9458 9460 100012c9 lstrlenA MultiByteToWideChar lstrcmpiW 9459->9460 9461 1000103f 8 API calls 9459->9461 9460->9459 9461->9459 9478 10001489 9462->9478 9466 10001060 9465->9466 9467 100010cb 9465->9467 9468 1000106b EnumWindows 9466->9468 9469 100010ac TerminateProcess 9466->9469 9467->9455 9468->9469 9470 1000107f GetExitCodeProcess 9468->9470 9475 10001007 GetWindowThreadProcessId 9468->9475 9471 100010a7 9469->9471 9472 100010be CloseHandle 9469->9472 9470->9471 9473 1000108e 9470->9473 9471->9472 9472->9467 9473->9471 9474 10001097 WaitForSingleObject 9473->9474 9474->9469 9474->9471 9476 10001024 PostMessageW 9475->9476 9477 10001036 9475->9477 9476->9477 9479 10001492 GlobalAlloc lstrcpynW 9478->9479 9480 100013b6 9478->9480 9479->9480 9576 703e1840 9577 703e1898 CallWindowProcW 9576->9577 9578 703e1852 9576->9578 9578->9577 9579 703e186e InvalidateRect UpdateWindow 9578->9579 9580 703e187d 9578->9580 9579->9580 9581 703e1896 9580->9581 9582 703e1886 InvalidateRect UpdateWindow 9580->9582 9581->9577 9582->9581 8630 4015c1 8631 402c41 17 API calls 8630->8631 8632 4015c8 8631->8632 8633 405c3a 4 API calls 8632->8633 8646 4015d1 8633->8646 8634 401631 8636 401663 8634->8636 8637 401636 8634->8637 8635 405bbc CharNextW 8635->8646 8639 401423 24 API calls 8636->8639 8657 401423 8637->8657 8645 40165b 8639->8645 8644 40164a SetCurrentDirectoryW 8644->8645 8646->8634 8646->8635 8647 401617 GetFileAttributesW 8646->8647 8649 40588b 8646->8649 8652 4057f1 CreateDirectoryW 8646->8652 8661 40586e CreateDirectoryW 8646->8661 8647->8646 8664 406694 GetModuleHandleA 8649->8664 8653 405842 GetLastError 8652->8653 8654 40583e 8652->8654 8653->8654 8655 405851 SetFileSecurityW 8653->8655 8654->8646 8655->8654 8656 405867 GetLastError 8655->8656 8656->8654 8658 405322 24 API calls 8657->8658 8659 401431 8658->8659 8660 4062ba lstrcpynW 8659->8660 8660->8644 8662 405882 GetLastError 8661->8662 8663 40587e 8661->8663 8662->8663 8663->8646 8665 4066b0 8664->8665 8666 4066ba GetProcAddress 8664->8666 8670 406624 GetSystemDirectoryW 8665->8670 8667 405892 8666->8667 8667->8646 8669 4066b6 8669->8666 8669->8667 8671 406646 wsprintfW LoadLibraryExW 8670->8671 8671->8669 10995 4016cc 10996 402c41 17 API calls 10995->10996 10997 4016d2 GetFullPathNameW 10996->10997 10998 4016ec 10997->10998 11004 40170e 10997->11004 11001 4065fd 2 API calls 10998->11001 10998->11004 10999 401723 GetShortPathNameW 11000 402ac5 10999->11000 11002 4016fe 11001->11002 11002->11004 11005 4062ba lstrcpynW 11002->11005 11004->10999 11004->11000 11005->11004 8800 703e19b0 8801 703e1a88 8800->8801 8802 703e19c3 GetActiveWindow 8800->8802 8803 703e1a8d GetActiveWindow 8801->8803 8804 703e1ae6 8801->8804 8805 703e19d9 ShowWindow 8802->8805 8806 703e19e4 9 API calls 8802->8806 8807 703e1aae ShowWindow SetWindowPos DestroyWindow 8803->8807 8808 703e1aa3 ShowWindow 8803->8808 8805->8806 8814 703e1470 16 API calls 8806->8814 8815 703e1470 16 API calls 8807->8815 8808->8807 8811 703e1a7a 8812 703e1ade 8816 703e1530 9 API calls 8812->8816 8814->8811 8815->8812 8816->8804 8689 4023e4 8690 402c41 17 API calls 8689->8690 8691 4023f6 8690->8691 8692 402c41 17 API calls 8691->8692 8693 402400 8692->8693 8706 402cd1 8693->8706 8696 402438 8702 402444 8696->8702 8710 402c1f 8696->8710 8697 40288b 8698 402c41 17 API calls 8699 40242e lstrlenW 8698->8699 8699->8696 8701 402463 RegSetValueExW 8704 402479 RegCloseKey 8701->8704 8702->8701 8713 403116 8702->8713 8704->8697 8707 402cec 8706->8707 8733 406155 8707->8733 8711 4062dc 17 API calls 8710->8711 8712 402c34 8711->8712 8712->8702 8714 40312f 8713->8714 8715 40315d 8714->8715 8740 403347 SetFilePointer 8714->8740 8737 403331 8715->8737 8719 4032ca 8721 40330c 8719->8721 8726 4032ce 8719->8726 8720 40317a GetTickCount 8722 4032b4 8720->8722 8729 4031c9 8720->8729 8723 403331 ReadFile 8721->8723 8722->8701 8723->8722 8724 403331 ReadFile 8724->8729 8725 403331 ReadFile 8725->8726 8726->8722 8726->8725 8727 405e62 WriteFile 8726->8727 8727->8726 8728 40321f GetTickCount 8728->8729 8729->8722 8729->8724 8729->8728 8730 403244 MulDiv wsprintfW 8729->8730 8732 405e62 WriteFile 8729->8732 8731 405322 24 API calls 8730->8731 8731->8729 8732->8729 8734 406164 8733->8734 8735 402410 8734->8735 8736 40616f RegCreateKeyExW 8734->8736 8735->8696 8735->8697 8735->8698 8736->8735 8738 405e33 ReadFile 8737->8738 8739 403168 8738->8739 8739->8719 8739->8720 8739->8722 8740->8715 8794 703f2993 8795 703f29e3 8794->8795 8796 703f29a3 VirtualProtect 8794->8796 8796->8795 8741 402484 8752 402c81 8741->8752 8744 402c41 17 API calls 8745 402497 8744->8745 8746 4024a2 RegQueryValueExW 8745->8746 8749 40288b 8745->8749 8747 4024c8 RegCloseKey 8746->8747 8748 4024c2 8746->8748 8747->8749 8748->8747 8757 406201 wsprintfW 8748->8757 8753 402c41 17 API calls 8752->8753 8754 402c98 8753->8754 8755 406127 RegOpenKeyExW 8754->8755 8756 40248e 8755->8756 8756->8744 8757->8747 8944 40338f SetErrorMode GetVersion 8945 4033ce 8944->8945 8946 4033d4 8944->8946 8947 406694 5 API calls 8945->8947 8948 406624 3 API calls 8946->8948 8947->8946 8949 4033ea lstrlenA 8948->8949 8949->8946 8950 4033fa 8949->8950 8951 406694 5 API calls 8950->8951 8952 403401 8951->8952 8953 406694 5 API calls 8952->8953 8954 403408 8953->8954 8955 406694 5 API calls 8954->8955 8956 403414 #17 OleInitialize SHGetFileInfoW 8955->8956 9034 4062ba lstrcpynW 8956->9034 8959 403460 GetCommandLineW 9035 4062ba lstrcpynW 8959->9035 8961 403472 8962 405bbc CharNextW 8961->8962 8963 403497 CharNextW 8962->8963 8964 4035c1 GetTempPathW 8963->8964 8974 4034b0 8963->8974 9036 40335e 8964->9036 8966 4035d9 8967 403633 DeleteFileW 8966->8967 8968 4035dd GetWindowsDirectoryW lstrcatW 8966->8968 9046 402edd GetTickCount GetModuleFileNameW 8967->9046 8971 40335e 12 API calls 8968->8971 8969 405bbc CharNextW 8969->8974 8973 4035f9 8971->8973 8972 403647 8982 405bbc CharNextW 8972->8982 9016 4036ea 8972->9016 9029 4036fa 8972->9029 8973->8967 8975 4035fd GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 8973->8975 8974->8969 8976 4035ac 8974->8976 8978 4035aa 8974->8978 8977 40335e 12 API calls 8975->8977 9130 4062ba lstrcpynW 8976->9130 8980 40362b 8977->8980 8978->8964 8980->8967 8980->9029 8988 403666 8982->8988 8985 403834 8987 40383c GetCurrentProcess OpenProcessToken 8985->8987 8995 4038b8 ExitProcess 8985->8995 8986 403714 8989 405920 MessageBoxIndirectW 8986->8989 8993 403854 LookupPrivilegeValueW AdjustTokenPrivileges 8987->8993 8994 403888 8987->8994 8990 4036c4 8988->8990 8991 40372a 8988->8991 8992 403722 ExitProcess 8989->8992 8997 405c97 18 API calls 8990->8997 8998 40588b 5 API calls 8991->8998 8993->8994 8999 406694 5 API calls 8994->8999 9000 4036d0 8997->9000 9001 40372f lstrcatW 8998->9001 9002 40388f 8999->9002 9000->9029 9131 4062ba lstrcpynW 9000->9131 9003 403740 lstrcatW 9001->9003 9004 40374b lstrcatW lstrcmpiW 9001->9004 9005 4038a4 ExitWindowsEx 9002->9005 9008 4038b1 9002->9008 9003->9004 9007 403767 9004->9007 9004->9029 9005->8995 9005->9008 9010 403773 9007->9010 9011 40376c 9007->9011 9142 40140b 9008->9142 9009 4036df 9132 4062ba lstrcpynW 9009->9132 9015 40586e 2 API calls 9010->9015 9014 4057f1 4 API calls 9011->9014 9017 403771 9014->9017 9018 403778 SetCurrentDirectoryW 9015->9018 9074 4039aa 9016->9074 9017->9018 9019 403793 9018->9019 9020 403788 9018->9020 9141 4062ba lstrcpynW 9019->9141 9140 4062ba lstrcpynW 9020->9140 9023 4062dc 17 API calls 9024 4037d2 DeleteFileW 9023->9024 9025 4037df CopyFileW 9024->9025 9031 4037a1 9024->9031 9025->9031 9026 403828 9027 406080 36 API calls 9026->9027 9027->9029 9028 406080 36 API calls 9028->9031 9133 4038d0 9029->9133 9030 4062dc 17 API calls 9030->9031 9031->9023 9031->9026 9031->9028 9031->9030 9032 4058a3 2 API calls 9031->9032 9033 403813 CloseHandle 9031->9033 9032->9031 9033->9031 9034->8959 9035->8961 9037 40654e 5 API calls 9036->9037 9038 40336a 9037->9038 9039 403374 9038->9039 9040 405b8f 3 API calls 9038->9040 9039->8966 9041 40337c 9040->9041 9042 40586e 2 API calls 9041->9042 9043 403382 9042->9043 9145 405ddf 9043->9145 9149 405db0 GetFileAttributesW CreateFileW 9046->9149 9048 402f1d 9066 402f2d 9048->9066 9150 4062ba lstrcpynW 9048->9150 9050 402f43 9051 405bdb 2 API calls 9050->9051 9052 402f49 9051->9052 9151 4062ba lstrcpynW 9052->9151 9054 402f54 GetFileSize 9055 403050 9054->9055 9073 402f6b 9054->9073 9152 402e79 9055->9152 9057 403059 9059 403089 GlobalAlloc 9057->9059 9057->9066 9164 403347 SetFilePointer 9057->9164 9058 403331 ReadFile 9058->9073 9163 403347 SetFilePointer 9059->9163 9061 4030bc 9063 402e79 6 API calls 9061->9063 9063->9066 9064 403072 9067 403331 ReadFile 9064->9067 9065 4030a4 9068 403116 31 API calls 9065->9068 9066->8972 9069 40307d 9067->9069 9071 4030b0 9068->9071 9069->9059 9069->9066 9070 402e79 6 API calls 9070->9073 9071->9066 9071->9071 9072 4030ed SetFilePointer 9071->9072 9072->9066 9073->9055 9073->9058 9073->9061 9073->9066 9073->9070 9075 406694 5 API calls 9074->9075 9076 4039be 9075->9076 9077 4039c4 9076->9077 9078 4039d6 9076->9078 9173 406201 wsprintfW 9077->9173 9079 406188 3 API calls 9078->9079 9080 403a06 9079->9080 9082 403a25 lstrcatW 9080->9082 9084 406188 3 API calls 9080->9084 9083 4039d4 9082->9083 9165 403c80 9083->9165 9084->9082 9087 405c97 18 API calls 9089 403a57 9087->9089 9088 403aeb 9090 405c97 18 API calls 9088->9090 9089->9088 9091 406188 3 API calls 9089->9091 9092 403af1 9090->9092 9093 403a89 9091->9093 9094 403b01 LoadImageW 9092->9094 9095 4062dc 17 API calls 9092->9095 9093->9088 9098 403aaa lstrlenW 9093->9098 9101 405bbc CharNextW 9093->9101 9096 403ba7 9094->9096 9097 403b28 RegisterClassW 9094->9097 9095->9094 9100 40140b 2 API calls 9096->9100 9099 403b5e SystemParametersInfoW CreateWindowExW 9097->9099 9129 403bb1 9097->9129 9102 403ab8 lstrcmpiW 9098->9102 9103 403ade 9098->9103 9099->9096 9104 403bad 9100->9104 9105 403aa7 9101->9105 9102->9103 9106 403ac8 GetFileAttributesW 9102->9106 9107 405b8f 3 API calls 9103->9107 9109 403c80 18 API calls 9104->9109 9104->9129 9105->9098 9108 403ad4 9106->9108 9110 403ae4 9107->9110 9108->9103 9111 405bdb 2 API calls 9108->9111 9112 403bbe 9109->9112 9174 4062ba lstrcpynW 9110->9174 9111->9103 9114 403bca ShowWindow 9112->9114 9115 403c4d 9112->9115 9116 406624 3 API calls 9114->9116 9117 4053f5 5 API calls 9115->9117 9118 403be2 9116->9118 9119 403c53 9117->9119 9120 403bf0 GetClassInfoW 9118->9120 9123 406624 3 API calls 9118->9123 9121 403c57 9119->9121 9122 403c6f 9119->9122 9125 403c04 GetClassInfoW RegisterClassW 9120->9125 9126 403c1a DialogBoxParamW 9120->9126 9127 40140b 2 API calls 9121->9127 9121->9129 9124 40140b 2 API calls 9122->9124 9123->9120 9124->9129 9125->9126 9128 40140b 2 API calls 9126->9128 9127->9129 9128->9129 9129->9029 9130->8978 9131->9009 9132->9016 9134 4038e8 9133->9134 9135 4038da CloseHandle 9133->9135 9179 403915 9134->9179 9135->9134 9138 4059cc 67 API calls 9139 403703 OleUninitialize 9138->9139 9139->8985 9139->8986 9140->9019 9141->9031 9143 401389 2 API calls 9142->9143 9144 401420 9143->9144 9144->8995 9146 405dec GetTickCount GetTempFileNameW 9145->9146 9147 405e22 9146->9147 9148 40338d 9146->9148 9147->9146 9147->9148 9148->8966 9149->9048 9150->9050 9151->9054 9153 402e82 9152->9153 9154 402e9a 9152->9154 9155 402e92 9153->9155 9156 402e8b DestroyWindow 9153->9156 9157 402ea2 9154->9157 9158 402eaa GetTickCount 9154->9158 9155->9057 9156->9155 9159 4066d0 2 API calls 9157->9159 9160 402eb8 CreateDialogParamW ShowWindow 9158->9160 9161 402edb 9158->9161 9162 402ea8 9159->9162 9160->9161 9161->9057 9162->9057 9163->9065 9164->9064 9166 403c94 9165->9166 9175 406201 wsprintfW 9166->9175 9168 403d05 9176 403d39 9168->9176 9170 403a35 9170->9087 9171 403d0a 9171->9170 9172 4062dc 17 API calls 9171->9172 9172->9171 9173->9083 9174->9088 9175->9168 9177 4062dc 17 API calls 9176->9177 9178 403d47 SetWindowTextW 9177->9178 9178->9171 9180 403923 9179->9180 9181 4038ed 9180->9181 9182 403928 FreeLibrary GlobalFree 9180->9182 9181->9138 9182->9181 9182->9182 11469 405296 11470 4052a6 11469->11470 11471 4052ba 11469->11471 11473 405303 11470->11473 11474 4052ac 11470->11474 11472 4052c2 IsWindowVisible 11471->11472 11480 4052d9 11471->11480 11472->11473 11475 4052cf 11472->11475 11476 405308 CallWindowProcW 11473->11476 11477 40427d SendMessageW 11474->11477 11482 404bec SendMessageW 11475->11482 11479 4052b6 11476->11479 11477->11479 11480->11476 11487 404c6c 11480->11487 11483 404c4b SendMessageW 11482->11483 11484 404c0f GetMessagePos ScreenToClient SendMessageW 11482->11484 11486 404c43 11483->11486 11485 404c48 11484->11485 11484->11486 11485->11483 11486->11480 11496 4062ba lstrcpynW 11487->11496 11489 404c7f 11497 406201 wsprintfW 11489->11497 11491 404c89 11492 40140b 2 API calls 11491->11492 11493 404c92 11492->11493 11498 4062ba lstrcpynW 11493->11498 11495 404c99 11495->11473 11496->11489 11497->11491 11498->11495 11710 4029a8 11711 402c1f 17 API calls 11710->11711 11712 4029ae 11711->11712 11713 4029d5 11712->11713 11714 4029ee 11712->11714 11720 40288b 11712->11720 11715 4029da 11713->11715 11716 4029eb 11713->11716 11717 402a08 11714->11717 11718 4029f8 11714->11718 11724 4062ba lstrcpynW 11715->11724 11725 406201 wsprintfW 11716->11725 11719 4062dc 17 API calls 11717->11719 11721 402c1f 17 API calls 11718->11721 11719->11720 11721->11720 11724->11720 11725->11720 8817 703e1cd0 8818 703e1ce2 8817->8818 8828 703e1fc7 8817->8828 8840 703e1710 GlobalAlloc GlobalAlloc 8818->8840 8820 703e1d1a 6 API calls 8821 703e1d83 FindWindowExW GetDlgItem 8820->8821 8822 703e1da0 8820->8822 8821->8822 8823 703e1db9 CreateThread 8822->8823 8824 703e1e55 8822->8824 8827 703e1ddc 8823->8827 8823->8828 8876 703e1af0 CreateDialogParamW 8823->8876 8825 703e1e5d CreateThread 8824->8825 8826 703e1e96 8824->8826 8825->8828 8829 703e1e81 8825->8829 8884 703e1bd0 8825->8884 8830 703e1f0e 8826->8830 8831 703e1ea4 SetWindowLongW GetWindowPlacement GetClientRect ShowWindow SetWindowPos 8826->8831 8832 703e1de8 Sleep 8827->8832 8833 703e1df2 6 API calls 8827->8833 8834 703e1e89 Sleep 8829->8834 8835 703e1e93 CloseHandle 8829->8835 8851 703e15c0 GetClientRect 8830->8851 8836 703e1f99 SetWindowLongW SetWindowPos 8831->8836 8832->8827 8833->8824 8834->8829 8835->8826 8836->8828 8838 703e1f21 8838->8836 8839 703e1f2c 6 API calls 8838->8839 8839->8836 8848 703e1740 8840->8848 8841 703e2197 lstrcpyW GlobalFree 8841->8848 8842 703e178e 8844 703e17e6 GetModuleHandleW LoadImageW 8842->8844 8845 703e1800 GlobalFree GlobalFree 8842->8845 8844->8845 8845->8820 8846 703e17d7 8873 703e21d7 8846->8873 8848->8841 8848->8842 8848->8846 8849 703e17af DestroyIcon 8848->8849 8850 703e17c0 LoadImageW 8848->8850 8860 703e13d0 lstrcmpiW 8848->8860 8849->8850 8850->8848 8852 703e168b GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics 8851->8852 8853 703e15e7 8851->8853 8858 703e16d1 GetSystemMetrics 8852->8858 8854 703e15ee 8853->8854 8855 703e15fd GetSystemMetrics GetSystemMetrics 8853->8855 8856 703e1624 GetSystemMetrics GetSystemMetrics GetSystemMetrics 8853->8856 8857 703e1651 GetSystemMetrics GetSystemMetrics GetSystemMetrics GetSystemMetrics 8853->8857 8859 703e16db SetWindowPos 8854->8859 8855->8859 8856->8854 8857->8858 8858->8854 8859->8838 8861 703e13e8 8860->8861 8862 703e13f0 lstrcmpiW 8860->8862 8861->8848 8863 703e13fc 8862->8863 8864 703e1404 lstrcmpiW 8862->8864 8863->8848 8865 703e1418 lstrcmpiW 8864->8865 8866 703e1410 8864->8866 8867 703e142c lstrcmpiW 8865->8867 8868 703e1424 8865->8868 8866->8848 8869 703e1438 8867->8869 8870 703e1440 lstrcmpiW 8867->8870 8868->8848 8869->8848 8871 703e144c 8870->8871 8872 703e1454 lstrcmpiW 8870->8872 8871->8848 8872->8848 8874 703e221a 8873->8874 8875 703e21e0 GlobalAlloc lstrcpynW 8873->8875 8874->8842 8875->8874 8877 703e1b1c GetDlgItem SendMessageW SendMessageW IsWindow 8876->8877 8878 703e1bb3 8876->8878 8877->8878 8879 703e1b71 8877->8879 8880 703e1b85 PeekMessageW 8879->8880 8881 703e1b9c DispatchMessageW 8880->8881 8882 703e1ba5 WaitMessage 8880->8882 8883 703e1ba7 IsWindow 8881->8883 8882->8883 8883->8878 8883->8880 8885 703e1bdc FindWindowExW 8884->8885 8886 703e1bf3 8884->8886 8885->8886 8896 703e1350 CreateWindowExW 8886->8896 8888 703e1c05 8889 703e1c15 SendMessageW SendMessageW SendMessageW IsWindow 8888->8889 8895 703e1cb0 8888->8895 8890 703e1c6a 8889->8890 8889->8895 8891 703e1c80 PeekMessageW 8890->8891 8892 703e1c98 DispatchMessageW 8891->8892 8893 703e1ca1 WaitMessage 8891->8893 8894 703e1ca3 IsWindow 8892->8894 8893->8894 8894->8891 8894->8895 8897 703e1383 GlobalAlloc GlobalAlloc SetWindowLongW SetWindowPos 8896->8897 8898 703e1381 8896->8898 8897->8888 8898->8888 9583 703e18c0 9584 703e18ef CallWindowProcW 9583->9584 9585 703e18d2 SendMessageW 9583->9585 9585->9584

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 0040338F Relevance: 73.9, APIs: 32, Strings: 10, Instructions: 410stringfilecomCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 40338f-4033cc SetErrorMode GetVersion 1 4033ce-4033d6 call 406694 0->1 2 4033df 0->2 1->2 7 4033d8 1->7 4 4033e4-4033f8 call 406624 lstrlenA 2->4 9 4033fa-403416 call 406694 * 3 4->9 7->2 16 403427-403486 #17 OleInitialize SHGetFileInfoW call 4062ba GetCommandLineW call 4062ba 9->16 17 403418-40341e 9->17 24 403490-4034aa call 405bbc CharNextW 16->24 25 403488-40348f 16->25 17->16 21 403420 17->21 21->16 28 4034b0-4034b6 24->28 29 4035c1-4035db GetTempPathW call 40335e 24->29 25->24 30 4034b8-4034bd 28->30 31 4034bf-4034c3 28->31 38 403633-40364d DeleteFileW call 402edd 29->38 39 4035dd-4035fb GetWindowsDirectoryW lstrcatW call 40335e 29->39 30->30 30->31 33 4034c5-4034c9 31->33 34 4034ca-4034ce 31->34 33->34 36 4034d4-4034da 34->36 37 40358d-40359a call 405bbc 34->37 42 4034f5-40352e 36->42 43 4034dc-4034e4 36->43 54 40359c-40359d 37->54 55 40359e-4035a4 37->55 56 403653-403659 38->56 57 4036fe-40370e call 4038d0 OleUninitialize 38->57 39->38 53 4035fd-40362d GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 40335e 39->53 49 403530-403535 42->49 50 40354b-403585 42->50 47 4034e6-4034e9 43->47 48 4034eb 43->48 47->42 47->48 48->42 49->50 58 403537-40353f 49->58 50->37 52 403587-40358b 50->52 52->37 59 4035ac-4035ba call 4062ba 52->59 53->38 53->57 54->55 55->28 61 4035aa 55->61 62 4036ee-4036f5 call 4039aa 56->62 63 40365f-40366a call 405bbc 56->63 75 403834-40383a 57->75 76 403714-403724 call 405920 ExitProcess 57->76 65 403541-403544 58->65 66 403546 58->66 68 4035bf 59->68 61->68 74 4036fa 62->74 79 4036b8-4036c2 63->79 80 40366c-4036a1 63->80 65->50 65->66 66->50 68->29 74->57 77 4038b8-4038c0 75->77 78 40383c-403852 GetCurrentProcess OpenProcessToken 75->78 88 4038c2 77->88 89 4038c6-4038ca ExitProcess 77->89 85 403854-403882 LookupPrivilegeValueW AdjustTokenPrivileges 78->85 86 403888-403896 call 406694 78->86 82 4036c4-4036d2 call 405c97 79->82 83 40372a-40373e call 40588b lstrcatW 79->83 87 4036a3-4036a7 80->87 82->57 99 4036d4-4036ea call 4062ba * 2 82->99 100 403740-403746 lstrcatW 83->100 101 40374b-403765 lstrcatW lstrcmpiW 83->101 85->86 102 4038a4-4038af ExitWindowsEx 86->102 103 403898-4038a2 86->103 93 4036b0-4036b4 87->93 94 4036a9-4036ae 87->94 88->89 93->87 98 4036b6 93->98 94->93 94->98 98->79 99->62 100->101 101->57 105 403767-40376a 101->105 102->77 106 4038b1-4038b3 call 40140b 102->106 103->102 103->106 108 403773 call 40586e 105->108 109 40376c-403771 call 4057f1 105->109 106->77 117 403778-403786 SetCurrentDirectoryW 108->117 109->117 118 403793-4037bc call 4062ba 117->118 119 403788-40378e call 4062ba 117->119 123 4037c1-4037dd call 4062dc DeleteFileW 118->123 119->118 126 40381e-403826 123->126 127 4037df-4037ef CopyFileW 123->127 126->123 129 403828-40382f call 406080 126->129 127->126 128 4037f1-403811 call 406080 call 4062dc call 4058a3 127->128 128->126 138 403813-40381a CloseHandle 128->138 129->57 138->126
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetErrorMode.KERNEL32 ref: 004033B2
                                                                                                                                                                                    • GetVersion.KERNEL32 ref: 004033B8
                                                                                                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033EB
                                                                                                                                                                                    • #17.COMCTL32(?,00000006,00000008,0000000A), ref: 00403428
                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0040342F
                                                                                                                                                                                    • SHGetFileInfoW.SHELL32(00440208,00000000,?,000002B4,00000000), ref: 0040344B
                                                                                                                                                                                    • GetCommandLineW.KERNEL32(00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 00403460
                                                                                                                                                                                    • CharNextW.USER32(00000000,004CB000,00000020,004CB000,00000000,?,00000006,00000008,0000000A), ref: 00403498
                                                                                                                                                                                      • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                      • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                    • GetTempPathW.KERNEL32(00002000,004DF000,?,00000006,00000008,0000000A), ref: 004035D2
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(004DF000,00001FFB,?,00000006,00000008,0000000A), ref: 004035E3
                                                                                                                                                                                    • lstrcatW.KERNEL32(004DF000,\Temp,?,00000006,00000008,0000000A), ref: 004035EF
                                                                                                                                                                                    • GetTempPathW.KERNEL32(00001FFC,004DF000,004DF000,\Temp,?,00000006,00000008,0000000A), ref: 00403603
                                                                                                                                                                                    • lstrcatW.KERNEL32(004DF000,Low,?,00000006,00000008,0000000A), ref: 0040360B
                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,004DF000,004DF000,Low,?,00000006,00000008,0000000A), ref: 0040361C
                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,004DF000,?,00000006,00000008,0000000A), ref: 00403624
                                                                                                                                                                                    • DeleteFileW.KERNEL32(004DB000,?,00000006,00000008,0000000A), ref: 00403638
                                                                                                                                                                                      • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00002000,00403460,00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                                                                    • OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403703
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403724
                                                                                                                                                                                    • lstrcatW.KERNEL32(004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403737
                                                                                                                                                                                    • lstrcatW.KERNEL32(004DF000,0040A26C,004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403746
                                                                                                                                                                                    • lstrcatW.KERNEL32(004DF000,.tmp,004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403751
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(004DF000,004D7000,004DF000,.tmp,004DF000,~nsu,004CB000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040375D
                                                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(004DF000,004DF000,?,00000006,00000008,0000000A), ref: 00403779
                                                                                                                                                                                    • DeleteFileW.KERNEL32(0043C208,0043C208,?,0047B000,00000008,?,00000006,00000008,0000000A), ref: 004037D3
                                                                                                                                                                                    • CopyFileW.KERNEL32(004E7000,0043C208,00000001,?,00000006,00000008,0000000A), ref: 004037E7
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,0043C208,0043C208,?,0043C208,00000000,?,00000006,00000008,0000000A), ref: 00403814
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403843
                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 0040384A
                                                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 0040385F
                                                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32 ref: 00403882
                                                                                                                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 004038A7
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 004038CA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
                                                                                                                                                                                    • String ID: .tmp$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                    • API String ID: 3441113951-3195845224
                                                                                                                                                                                    • Opcode ID: 14ddf9fd8f7a6776d0279073920aaf11ecf970c0f7d5ed594b67270de8d12b9b
                                                                                                                                                                                    • Instruction ID: 33fbdd78d52bfd04f2c73b4da217482bb076a8c6d1615cdfa2cd3638f3c4bec2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 14ddf9fd8f7a6776d0279073920aaf11ecf970c0f7d5ed594b67270de8d12b9b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 45D1F471100310AAE720BF769D45B2B3AADEB4070AF10447FF885B62E1DBBD8D55876E
                                                                                                                                                                                    Function 00405461 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 139 405461-40547c 140 405482-405549 GetDlgItem * 3 call 404266 call 404bbf GetClientRect GetSystemMetrics SendMessageW * 2 139->140 141 40560b-405612 139->141 159 405567-40556a 140->159 160 40554b-405565 SendMessageW * 2 140->160 142 405614-405636 GetDlgItem CreateThread CloseHandle 141->142 143 40563c-405649 141->143 142->143 146 405667-405671 143->146 147 40564b-405651 143->147 151 405673-405679 146->151 152 4056c7-4056cb 146->152 149 405653-405662 ShowWindow * 2 call 404266 147->149 150 40568c-405695 call 404298 147->150 149->146 163 40569a-40569e 150->163 156 4056a1-4056b1 ShowWindow 151->156 157 40567b-405687 call 40420a 151->157 152->150 154 4056cd-4056d3 152->154 154->150 161 4056d5-4056e8 SendMessageW 154->161 164 4056c1-4056c2 call 40420a 156->164 165 4056b3-4056bc call 405322 156->165 157->150 167 40557a-405591 call 404231 159->167 168 40556c-405578 SendMessageW 159->168 160->159 169 4057ea-4057ec 161->169 170 4056ee-405719 CreatePopupMenu call 4062dc AppendMenuW 161->170 164->152 165->164 178 405593-4055a7 ShowWindow 167->178 179 4055c7-4055e8 GetDlgItem SendMessageW 167->179 168->167 169->163 176 40571b-40572b GetWindowRect 170->176 177 40572e-405743 TrackPopupMenu 170->177 176->177 177->169 180 405749-405760 177->180 181 4055b6 178->181 182 4055a9-4055b4 ShowWindow 178->182 179->169 183 4055ee-405606 SendMessageW * 2 179->183 184 405765-405780 SendMessageW 180->184 185 4055bc-4055c2 call 404266 181->185 182->185 183->169 184->184 186 405782-4057a5 OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 184->186 185->179 188 4057a7-4057ce SendMessageW 186->188 188->188 189 4057d0-4057e4 GlobalUnlock SetClipboardData CloseClipboard 188->189 189->169
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 004054BF
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 004054CE
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040550B
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 00405512
                                                                                                                                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 00405533
                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405544
                                                                                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405557
                                                                                                                                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405565
                                                                                                                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405578
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040559A
                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 004055AE
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004055CF
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004055DF
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004055F8
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405604
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 004054DD
                                                                                                                                                                                      • Part of subcall function 00404266: SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 00405621
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000053F5,00000000), ref: 0040562F
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00405636
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 0040565A
                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 0040565F
                                                                                                                                                                                    • ShowWindow.USER32(00000008), ref: 004056A9
                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004056DD
                                                                                                                                                                                    • CreatePopupMenu.USER32 ref: 004056EE
                                                                                                                                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405702
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 00405722
                                                                                                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 0040573B
                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405773
                                                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405783
                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00405789
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405795
                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0040579F
                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004057B3
                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 004057D3
                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 004057DE
                                                                                                                                                                                    • CloseClipboard.USER32 ref: 004057E4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                    • String ID: {
                                                                                                                                                                                    • API String ID: 590372296-366298937
                                                                                                                                                                                    • Opcode ID: 3f5756e17ddf514bb7e58e27119461a6e63aa272c655e6837988b65713ff16ec
                                                                                                                                                                                    • Instruction ID: bae72a1d173c3811f2fd5642bc5838002141c6bee16c4b6d0499208050eeb164
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f5756e17ddf514bb7e58e27119461a6e63aa272c655e6837988b65713ff16ec
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3CB12970900608FFDB119FA0DE89EAE7B79FB48354F00413AFA45A61A0CBB55E91DF58
                                                                                                                                                                                    Function 100010D0 Relevance: 47.5, APIs: 21, Strings: 6, Instructions: 217COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 320 100010d0-100010fe GetVersionExW 321 10001100-10001105 320->321 322 1000110a-10001113 320->322 323 10001374-10001376 321->323 324 10001115-1000111c 322->324 325 1000112c-10001143 LoadLibraryW 322->325 326 10001122-10001127 324->326 327 10001227-10001239 LoadLibraryA 324->327 328 10001145-10001156 GetProcAddress 325->328 329 100011af 325->329 333 10001372-10001373 326->333 330 10001349-1000134e 327->330 331 1000123f-10001268 GetProcAddress * 3 327->331 334 10001158-10001164 LocalAlloc 328->334 335 1000119f 328->335 332 100011b4-100011b6 329->332 330->333 336 1000133a-1000133d FreeLibrary 331->336 337 1000126e-10001270 331->337 339 100011b8-100011ba 332->339 340 100011bf 332->340 333->323 341 10001193-10001196 334->341 338 100011a4-100011ad FreeLibrary 335->338 344 10001343-10001347 336->344 337->336 342 10001276-10001278 337->342 338->332 339->333 343 100011c2-100011c7 340->343 345 10001166-10001177 NtQuerySystemInformation 341->345 346 10001198-1000119d 341->346 342->336 347 1000127e-10001289 342->347 348 100011c9-100011ee lstrcpynW lstrcmpiW 343->348 349 1000120f-10001213 343->349 344->330 350 10001350-10001354 344->350 345->338 351 10001179-10001188 LocalFree 345->351 346->338 347->336 362 1000128f-100012a3 347->362 348->349 352 100011f0-100011f7 348->352 355 10001215-10001217 349->355 356 10001219-10001222 LocalFree 349->356 353 10001370 350->353 354 10001356-1000135a 350->354 351->346 357 1000118a-10001191 LocalAlloc 351->357 352->356 359 100011f9-1000120c call 1000103f 352->359 353->333 360 10001363-10001367 354->360 361 1000135c-10001361 354->361 355->343 356->344 357->341 359->349 360->353 364 10001369-1000136e 360->364 361->333 367 1000132b-1000132d 362->367 364->333 368 10001333-10001334 CloseHandle 367->368 369 100012a8-100012bc lstrlenW 367->369 368->336 370 100012c3-100012c7 369->370 371 100012c9-100012fc lstrlenA MultiByteToWideChar lstrcmpiW 370->371 372 100012be-100012c0 370->372 374 10001320-10001327 371->374 375 100012fe-10001305 371->375 372->371 373 100012c2 372->373 373->370 374->367 375->368 376 10001307-1000131d call 1000103f 375->376 376->374
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 100010F6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2543042678.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2542932545.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2543309384.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2543602233.0000000010004000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_10000000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Version
                                                                                                                                                                                    • String ID: CreateToolhelp32Snapshot$KERNEL32.DLL$NTDLL.DLL$NtQuerySystemInformation$Process32First$Process32Next
                                                                                                                                                                                    • API String ID: 1889659487-877962304
                                                                                                                                                                                    • Opcode ID: 7d7e9519b5160fc9c378ed57362ed99c5f4eb730c932ba2a1b4742be338fdd70
                                                                                                                                                                                    • Instruction ID: 7912c964d9e25ca6fd3cf3701ff0e873bdc70cccdad54a87c94dbd913505c8d0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d7e9519b5160fc9c378ed57362ed99c5f4eb730c932ba2a1b4742be338fdd70
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9F714671900229EFFB21DBA4CC88AEE7BF9EB483C5F114166EA15E2159E7708B44CF51
                                                                                                                                                                                    Function 703F1B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 703F121B: GlobalAlloc.KERNEL32(00000040,?,703F123B,?,703F12DF,00000019,703F11BE,-000000A0), ref: 703F1225
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 703F1C6B
                                                                                                                                                                                    • lstrcpyW.KERNEL32(00000008,?), ref: 703F1CB3
                                                                                                                                                                                    • lstrcpyW.KERNEL32(00000808,?), ref: 703F1CBD
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 703F1CD0
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 703F1DB2
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 703F1DB7
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 703F1DBC
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 703F1FA6
                                                                                                                                                                                    • lstrcpyW.KERNEL32(?,?), ref: 703F2140
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000008), ref: 703F21B5
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(00000008), ref: 703F21C6
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 703F2220
                                                                                                                                                                                    • lstrlenW.KERNEL32(00000808), ref: 703F223A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544964043.00000000703F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703F0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544917372.00000000703F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545023662.00000000703F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545076782.00000000703F6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703f0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 245916457-0
                                                                                                                                                                                    • Opcode ID: d456ee629e4af0f0b41815543b369b3522199ea61be469ce99ffc9dd7b267fe7
                                                                                                                                                                                    • Instruction ID: 342d86debae234643bb43aa364d82313088770a0cb18c267d6be77040ae6f356
                                                                                                                                                                                    • Opcode Fuzzy Hash: d456ee629e4af0f0b41815543b369b3522199ea61be469ce99ffc9dd7b267fe7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 38229C72D0020EDEDB158FA4E980AEEB7B9FB04315F21452EE166E7290D7B47A81DB50
                                                                                                                                                                                    Function 004059CC Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 889 4059cc-4059f2 call 405c97 892 4059f4-405a06 DeleteFileW 889->892 893 405a0b-405a12 889->893 894 405b88-405b8c 892->894 895 405a14-405a16 893->895 896 405a25-405a35 call 4062ba 893->896 898 405b36-405b3b 895->898 899 405a1c-405a1f 895->899 902 405a44-405a45 call 405bdb 896->902 903 405a37-405a42 lstrcatW 896->903 898->894 901 405b3d-405b40 898->901 899->896 899->898 904 405b42-405b48 901->904 905 405b4a-405b52 call 4065fd 901->905 906 405a4a-405a4e 902->906 903->906 904->894 905->894 913 405b54-405b68 call 405b8f call 405984 905->913 909 405a50-405a58 906->909 910 405a5a-405a60 lstrcatW 906->910 909->910 912 405a65-405a81 lstrlenW FindFirstFileW 909->912 910->912 914 405a87-405a8f 912->914 915 405b2b-405b2f 912->915 929 405b80-405b83 call 405322 913->929 930 405b6a-405b6d 913->930 918 405a91-405a99 914->918 919 405aaf-405ac3 call 4062ba 914->919 915->898 917 405b31 915->917 917->898 921 405a9b-405aa3 918->921 922 405b0e-405b1e FindNextFileW 918->922 931 405ac5-405acd 919->931 932 405ada-405ae5 call 405984 919->932 921->919 927 405aa5-405aad 921->927 922->914 926 405b24-405b25 FindClose 922->926 926->915 927->919 927->922 929->894 930->904 933 405b6f-405b7e call 405322 call 406080 930->933 931->922 934 405acf-405ad8 call 4059cc 931->934 942 405b06-405b09 call 405322 932->942 943 405ae7-405aea 932->943 933->894 934->922 942->922 946 405aec-405afc call 405322 call 406080 943->946 947 405afe-405b04 943->947 946->922 947->922
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,?,004DF000,771B3420,00000000), ref: 004059F5
                                                                                                                                                                                    • lstrcatW.KERNEL32(00460250,\*.*,00460250,?,?,004DF000,771B3420,00000000), ref: 00405A3D
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014,?,00460250,?,?,004DF000,771B3420,00000000), ref: 00405A60
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,00460250,?,?,004DF000,771B3420,00000000), ref: 00405A66
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(00460250,?,?,?,0040A014,?,00460250,?,?,004DF000,771B3420,00000000), ref: 00405A76
                                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405B16
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405B25
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                    • String ID: \*.*
                                                                                                                                                                                    • API String ID: 2035342205-1173974218
                                                                                                                                                                                    • Opcode ID: e10abc69e4b1c2b8094a1b2b520f663248eb98d9a150b6aedb5183a323ea6903
                                                                                                                                                                                    • Instruction ID: 3baa02bdf70247edfb0f680676f8bffda79515ede8bd61e7e13478a9eee65f3b
                                                                                                                                                                                    • Opcode Fuzzy Hash: e10abc69e4b1c2b8094a1b2b520f663248eb98d9a150b6aedb5183a323ea6903
                                                                                                                                                                                    • Instruction Fuzzy Hash: E141D430900914AACB21AB618C89ABF7778EF45369F10427FF801711D1D77CAD81DE6E
                                                                                                                                                                                    Function 004065FD Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(004DF000,00468298,00464250,00405CE0,00464250,00464250,00000000,00464250,00464250,004DF000,?,771B3420,004059EC,?,004DF000,771B3420), ref: 00406608
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00406614
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2295610775-0
                                                                                                                                                                                    • Opcode ID: f7cd178be2e6469beafc72b660366141f3ce998a63a06fca00c04ee689428cf9
                                                                                                                                                                                    • Instruction ID: 086872f0bf6ffc0fec3bf9e050170664210a11ef237051a194e92f35cf11c1a2
                                                                                                                                                                                    • Opcode Fuzzy Hash: f7cd178be2e6469beafc72b660366141f3ce998a63a06fca00c04ee689428cf9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 52D012315455205BC7001B386E0C85B7B599F553317158F37F46AF51E0DB758C62869D
                                                                                                                                                                                    Function 703F2AAC Relevance: 1.6, APIs: 1, Instructions: 143processCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000000), ref: 703F2B6B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544964043.00000000703F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703F0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544917372.00000000703F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545023662.00000000703F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545076782.00000000703F6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703f0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateSnapshotToolhelp32
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3332741929-0
                                                                                                                                                                                    • Opcode ID: c3e720963023acbbd7683bcc0ebed0ba40255b5197c19dd9e94480ead973270f
                                                                                                                                                                                    • Instruction ID: 31e5f06a065fd0d69cf6a8853ca97388b1840105f0c06136ecdd763c29eea2c5
                                                                                                                                                                                    • Opcode Fuzzy Hash: c3e720963023acbbd7683bcc0ebed0ba40255b5197c19dd9e94480ead973270f
                                                                                                                                                                                    • Instruction Fuzzy Hash: E1415FB2800209EFDB21DFA5DD82F5D7779FB04364F31442BEA058A160DE39B991CBA1
                                                                                                                                                                                    Function 00402104 Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateInstance
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 542301482-0
                                                                                                                                                                                    • Opcode ID: 6add73535d334bbd10faeab47eb29d8a703edf5c42766cfe57afeb0baa1f3480
                                                                                                                                                                                    • Instruction ID: 6590b0d0bd135a94e5278e34c2007f8374f9804fe0c2ec815525577e7f77d17f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6add73535d334bbd10faeab47eb29d8a703edf5c42766cfe57afeb0baa1f3480
                                                                                                                                                                                    • Instruction Fuzzy Hash: 01414C71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E0DBB99981CB44
                                                                                                                                                                                    Function 703E1CD0 Relevance: 59.7, APIs: 32, Strings: 2, Instructions: 237sleepthreadwindowCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 703E1710: GlobalAlloc.KERNEL32(00000040,?,?,?,?,00000000,703E1D1A), ref: 703E1725
                                                                                                                                                                                      • Part of subcall function 703E1710: GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,00000000,703E1D1A), ref: 703E1735
                                                                                                                                                                                    • FindWindowExW.USER32 ref: 703E1D3B
                                                                                                                                                                                    • GetDlgItem.USER32(00000000), ref: 703E1D44
                                                                                                                                                                                    • FindWindowExW.USER32(?,00000000,#32770,00000000), ref: 703E1D5E
                                                                                                                                                                                    • GetDlgItem.USER32(00000000), ref: 703E1D61
                                                                                                                                                                                    • FindWindowExW.USER32(?,00000000,#32770,00000000), ref: 703E1D7A
                                                                                                                                                                                    • GetDlgItem.USER32(00000000), ref: 703E1D7D
                                                                                                                                                                                    • FindWindowExW.USER32(?,00000000,#32770,00000000), ref: 703E1D96
                                                                                                                                                                                    • GetDlgItem.USER32(00000000), ref: 703E1D99
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,703E1AF0,?,00000000,000003EC), ref: 703E1DCC
                                                                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 703E1DEA
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 703E1DF3
                                                                                                                                                                                    • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 703E1E01
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 703E1E11
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,703E18C0), ref: 703E1E24
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,703E1910), ref: 703E1E39
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,703E1960), ref: 703E1E4E
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,703E1BD0,?,00000000,00000000), ref: 703E1E71
                                                                                                                                                                                    • Sleep.KERNEL32(0000000A), ref: 703E1E8B
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 703E1E94
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,703E18C0), ref: 703E1EB2
                                                                                                                                                                                    • GetWindowPlacement.USER32(?,?), ref: 703E1EC5
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 703E1ED6
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 703E1EE4
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000044), ref: 703E1F07
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,703E1840), ref: 703E1FA6
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037), ref: 703E1FBB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Long$FindItem$AllocCloseCreateGlobalHandleRectSleepThread$ClientInvalidateMessagePlacementSendShow
                                                                                                                                                                                    • String ID: #32770$,
                                                                                                                                                                                    • API String ID: 2050830551-1531211758
                                                                                                                                                                                    • Opcode ID: 58ef2a8d512cef946fe08475547ebd47ab6de774bd6de7ed4ffa84834eb51317
                                                                                                                                                                                    • Instruction ID: 4f7387ec0c0d11a416677ee028c7d3d77e43b8199761f0d2e5aa682aca159957
                                                                                                                                                                                    • Opcode Fuzzy Hash: 58ef2a8d512cef946fe08475547ebd47ab6de774bd6de7ed4ffa84834eb51317
                                                                                                                                                                                    • Instruction Fuzzy Hash: 718120B3900214AFE620DB77DCC4F6AB7ADE78C654B214729F705972A0D7B8AD058B60
                                                                                                                                                                                    Function 00403D58 Relevance: 48.3, APIs: 32, Instructions: 346windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 215 403d58-403d6a 216 403d70-403d76 215->216 217 403eab-403eba 215->217 216->217 218 403d7c-403d85 216->218 219 403f09-403f1e 217->219 220 403ebc-403f04 GetDlgItem * 2 call 404231 SetClassLongW call 40140b 217->220 221 403d87-403d94 SetWindowPos 218->221 222 403d9a-403d9d 218->222 224 403f20-403f23 219->224 225 403f5e-403f63 call 40427d 219->225 220->219 221->222 227 403db7-403dbd 222->227 228 403d9f-403db1 ShowWindow 222->228 230 403f25-403f30 call 401389 224->230 231 403f56-403f58 224->231 233 403f68-403f83 225->233 234 403dd9-403ddc 227->234 235 403dbf-403dd4 DestroyWindow 227->235 228->227 230->231 246 403f32-403f51 SendMessageW 230->246 231->225 232 4041fe 231->232 241 404200-404207 232->241 239 403f85-403f87 call 40140b 233->239 240 403f8c-403f92 233->240 244 403dde-403dea SetWindowLongW 234->244 245 403def-403df5 234->245 242 4041db-4041e1 235->242 239->240 249 403f98-403fa3 240->249 250 4041bc-4041d5 DestroyWindow EndDialog 240->250 242->232 248 4041e3-4041e9 242->248 244->241 251 403e98-403ea6 call 404298 245->251 252 403dfb-403e0c GetDlgItem 245->252 246->241 248->232 254 4041eb-4041f4 ShowWindow 248->254 249->250 255 403fa9-403ff6 call 4062dc call 404231 * 3 GetDlgItem 249->255 250->242 251->241 256 403e2b-403e2e 252->256 257 403e0e-403e25 SendMessageW IsWindowEnabled 252->257 254->232 285 404000-40403c ShowWindow KiUserCallbackDispatcher call 404253 EnableWindow 255->285 286 403ff8-403ffd 255->286 258 403e30-403e31 256->258 259 403e33-403e36 256->259 257->232 257->256 262 403e61-403e66 call 40420a 258->262 263 403e44-403e49 259->263 264 403e38-403e3e 259->264 262->251 267 403e7f-403e92 SendMessageW 263->267 268 403e4b-403e51 263->268 266 403e40-403e42 264->266 264->267 266->262 267->251 271 403e53-403e59 call 40140b 268->271 272 403e68-403e71 call 40140b 268->272 283 403e5f 271->283 272->251 281 403e73-403e7d 272->281 281->283 283->262 289 404041 285->289 290 40403e-40403f 285->290 286->285 291 404043-404071 GetSystemMenu EnableMenuItem SendMessageW 289->291 290->291 292 404073-404084 SendMessageW 291->292 293 404086 291->293 294 40408c-4040cb call 404266 call 403d39 call 4062ba lstrlenW call 4062dc SetWindowTextW call 401389 292->294 293->294 294->233 305 4040d1-4040d3 294->305 305->233 306 4040d9-4040dd 305->306 307 4040fc-404110 DestroyWindow 306->307 308 4040df-4040e5 306->308 307->242 310 404116-404143 CreateDialogParamW 307->310 308->232 309 4040eb-4040f1 308->309 309->233 311 4040f7 309->311 310->242 312 404149-4041a0 call 404231 GetDlgItem GetWindowRect ScreenToClient SetWindowPos call 401389 310->312 311->232 312->232 317 4041a2-4041b5 ShowWindow call 40427d 312->317 319 4041ba 317->319 319->242
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D94
                                                                                                                                                                                    • ShowWindow.USER32(?), ref: 00403DB1
                                                                                                                                                                                    • DestroyWindow.USER32 ref: 00403DC5
                                                                                                                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DE1
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00403E02
                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403E16
                                                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00403E1D
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00403ECB
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 00403ED5
                                                                                                                                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00403EEF
                                                                                                                                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F40
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 00403FE6
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?), ref: 00404007
                                                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404019
                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 00404034
                                                                                                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040404A
                                                                                                                                                                                    • EnableMenuItem.USER32(00000000), ref: 00404051
                                                                                                                                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404069
                                                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040407C
                                                                                                                                                                                    • lstrlenW.KERNEL32(00450248,?,00450248,00000000), ref: 004040A6
                                                                                                                                                                                    • SetWindowTextW.USER32(?,00450248), ref: 004040BA
                                                                                                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 004041EE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3282139019-0
                                                                                                                                                                                    • Opcode ID: fc0f4d7be1e4c82c86fade982caad82dc734dafc7249948e3003efd3e17736fb
                                                                                                                                                                                    • Instruction ID: ebd8885eb79f40fe398f9982bcc50e4b60f6275a3dc5f5776bcae5bce4ead0d0
                                                                                                                                                                                    • Opcode Fuzzy Hash: fc0f4d7be1e4c82c86fade982caad82dc734dafc7249948e3003efd3e17736fb
                                                                                                                                                                                    • Instruction Fuzzy Hash: AFC1D5B1500304ABDB206F61EE88E2B3A78FB95346F00053EF645B51F1CB799891DB6E
                                                                                                                                                                                    Function 004039AA Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 379 4039aa-4039c2 call 406694 382 4039c4-4039d4 call 406201 379->382 383 4039d6-403a0d call 406188 379->383 392 403a30-403a59 call 403c80 call 405c97 382->392 388 403a25-403a2b lstrcatW 383->388 389 403a0f-403a20 call 406188 383->389 388->392 389->388 397 403aeb-403af3 call 405c97 392->397 398 403a5f-403a64 392->398 404 403b01-403b26 LoadImageW 397->404 405 403af5-403afc call 4062dc 397->405 398->397 400 403a6a-403a92 call 406188 398->400 400->397 406 403a94-403a98 400->406 408 403ba7-403baf call 40140b 404->408 409 403b28-403b58 RegisterClassW 404->409 405->404 410 403aaa-403ab6 lstrlenW 406->410 411 403a9a-403aa7 call 405bbc 406->411 422 403bb1-403bb4 408->422 423 403bb9-403bc4 call 403c80 408->423 412 403c76 409->412 413 403b5e-403ba2 SystemParametersInfoW CreateWindowExW 409->413 417 403ab8-403ac6 lstrcmpiW 410->417 418 403ade-403ae6 call 405b8f call 4062ba 410->418 411->410 416 403c78-403c7f 412->416 413->408 417->418 421 403ac8-403ad2 GetFileAttributesW 417->421 418->397 425 403ad4-403ad6 421->425 426 403ad8-403ad9 call 405bdb 421->426 422->416 432 403bca-403be4 ShowWindow call 406624 423->432 433 403c4d-403c4e call 4053f5 423->433 425->418 425->426 426->418 438 403bf0-403c02 GetClassInfoW 432->438 439 403be6-403beb call 406624 432->439 437 403c53-403c55 433->437 440 403c57-403c5d 437->440 441 403c6f-403c71 call 40140b 437->441 444 403c04-403c14 GetClassInfoW RegisterClassW 438->444 445 403c1a-403c3d DialogBoxParamW call 40140b 438->445 439->438 440->422 446 403c63-403c6a call 40140b 440->446 441->412 444->445 450 403c42-403c4b call 4038fa 445->450 446->422 450->416
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406694: GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                      • Part of subcall function 00406694: GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                    • lstrcatW.KERNEL32(004DB000,00450248,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450248,00000000,00000002,004DF000,771B3420,004CB000,00000000), ref: 00403A2B
                                                                                                                                                                                    • lstrlenW.KERNEL32(Execute: ,?,?,?,Execute: ,00000000,004CF000,004DB000,00450248,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450248,00000000,00000002,004DF000), ref: 00403AAB
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,.exe,Execute: ,?,?,?,Execute: ,00000000,004CF000,004DB000,00450248,80000001,Control Panel\Desktop\ResourceLocale,00000000,00450248,00000000), ref: 00403ABE
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(Execute: ), ref: 00403AC9
                                                                                                                                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004CF000), ref: 00403B12
                                                                                                                                                                                      • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
                                                                                                                                                                                    • RegisterClassW.USER32(00472E80), ref: 00403B4F
                                                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B67
                                                                                                                                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B9C
                                                                                                                                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00403BD2
                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,00472E80), ref: 00403BFE
                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit,00472E80), ref: 00403C0B
                                                                                                                                                                                    • RegisterClassW.USER32(00472E80), ref: 00403C14
                                                                                                                                                                                    • DialogBoxParamW.USER32(?,00000000,00403D58,00000000), ref: 00403C33
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$Execute: $RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                    • API String ID: 1975747703-1496268295
                                                                                                                                                                                    • Opcode ID: f1b2be5f89fac0cbf9958f47fdf3d8daba4c0bfed37b59ff3d0d792caf125e20
                                                                                                                                                                                    • Instruction ID: e946f9b6b947081a315c1f95bc525aa973ad4f651662e5f5477bf26fdb3bf1de
                                                                                                                                                                                    • Opcode Fuzzy Hash: f1b2be5f89fac0cbf9958f47fdf3d8daba4c0bfed37b59ff3d0d792caf125e20
                                                                                                                                                                                    • Instruction Fuzzy Hash: B361C8302407007ED720AF669E45E2B3A6CEB8474AF40417FF985B51E2DBBD5951CB2E
                                                                                                                                                                                    Function 703E1470 Relevance: 29.8, APIs: 16, Strings: 1, Instructions: 71COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindWindowExW.USER32(?,00000000,#32770,00000000), ref: 703E148E
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,75A523D0,?,703E1ADE,00000001), ref: 703E149B
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 703E14B0
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,75A523D0,?,703E1ADE,00000001), ref: 703E14B3
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040B), ref: 703E14C2
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,75A523D0,?,703E1ADE,00000001), ref: 703E14C5
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040C), ref: 703E14D3
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,75A523D0,?,703E1ADE,00000001), ref: 703E14D6
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040D), ref: 703E14E5
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,75A523D0,?,703E1ADE,00000001), ref: 703E14E8
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040E), ref: 703E14F7
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,75A523D0,?,703E1ADE,00000001), ref: 703E14FA
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040F), ref: 703E1508
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,75A523D0,?,703E1ADE,00000001), ref: 703E150B
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000416), ref: 703E151A
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,75A523D0,?,703E1ADE,00000001), ref: 703E151D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Show$Item$Find
                                                                                                                                                                                    • String ID: #32770
                                                                                                                                                                                    • API String ID: 1227415125-463685578
                                                                                                                                                                                    • Opcode ID: 0c6a52c79d9ad039ad1a296d2498f7e2a60ac1b9df5ef3892722d6df539c6a12
                                                                                                                                                                                    • Instruction ID: 67e409c3480868aea948d710ce0b25d4a79deea681b7f15403d225d5c0e9d529
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c6a52c79d9ad039ad1a296d2498f7e2a60ac1b9df5ef3892722d6df539c6a12
                                                                                                                                                                                    • Instruction Fuzzy Hash: 53112EE3A403187AE930E7F79CC8F9BBB5CDF89650B124A15F704A719089B8DC148BB4
                                                                                                                                                                                    Function 703E19B0 Relevance: 24.1, APIs: 16, Instructions: 111windowCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetActiveWindow.USER32 ref: 703E19C3
                                                                                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 703E19DC
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 703E19E9
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000047), ref: 703E1A03
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 703E1A15
                                                                                                                                                                                    • GetClientRect.USER32(?,703E4040), ref: 703E1A23
                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,00000401,00000170,?,00000000), ref: 703E1A38
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 703E1A46
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 703E1A50
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 703E1A5B
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000), ref: 703E1A71
                                                                                                                                                                                    • GetActiveWindow.USER32 ref: 703E1A8D
                                                                                                                                                                                    • ShowWindow.USER32(?,00000009), ref: 703E1AA6
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 703E1AB1
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000047), ref: 703E1AC6
                                                                                                                                                                                    • DestroyWindow.USER32(?), ref: 703E1AD1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Show$MetricsSystem$ActiveClientRect$DestroyItemMessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1218735675-0
                                                                                                                                                                                    • Opcode ID: 8a6c63c0354988026ec04dae4344fde54fb197d1549b2cae1518ea657907a1d7
                                                                                                                                                                                    • Instruction ID: 89e58f55549c215f6ae63fc4ab0aad54af6feaba53546613b50d0df9f77c2224
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8a6c63c0354988026ec04dae4344fde54fb197d1549b2cae1518ea657907a1d7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6E3192B7A40214BFE630D7A6DCC6F6E736CEB88B10F210618F706972D0D6B8AC448B51
                                                                                                                                                                                    Function 004062DC Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 681 4062dc-4062e7 682 4062e9-4062f8 681->682 683 4062fa-406310 681->683 682->683 684 406316-406323 683->684 685 406528-40652e 683->685 684->685 688 406329-406330 684->688 686 406534-40653f 685->686 687 406335-406342 685->687 690 406541-406545 call 4062ba 686->690 691 40654a-40654b 686->691 687->686 689 406348-406354 687->689 688->685 692 406515 689->692 693 40635a-406398 689->693 690->691 697 406523-406526 692->697 698 406517-406521 692->698 695 4064b8-4064bc 693->695 696 40639e-4063a9 693->696 701 4064be-4064c4 695->701 702 4064ef-4064f3 695->702 699 4063c2 696->699 700 4063ab-4063b0 696->700 697->685 698->685 706 4063c9-4063d0 699->706 700->699 703 4063b2-4063b5 700->703 704 4064d4-4064e0 call 4062ba 701->704 705 4064c6-4064d2 call 406201 701->705 707 406502-406513 lstrlenW 702->707 708 4064f5-4064fd call 4062dc 702->708 703->699 710 4063b7-4063ba 703->710 719 4064e5-4064eb 704->719 705->719 712 4063d2-4063d4 706->712 713 4063d5-4063d7 706->713 707->685 708->707 710->699 715 4063bc-4063c0 710->715 712->713 717 406412-406415 713->717 718 4063d9-4063f7 call 406188 713->718 715->706 720 406425-406428 717->720 721 406417-406423 GetSystemDirectoryW 717->721 727 4063fc-406400 718->727 719->707 723 4064ed 719->723 725 406493-406495 720->725 726 40642a-406438 GetWindowsDirectoryW 720->726 724 406497-40649b 721->724 728 4064b0-4064b6 call 40654e 723->728 724->728 733 40649d 724->733 725->724 730 40643a-406444 725->730 726->725 731 4064a0-4064a3 727->731 732 406406-40640d call 4062dc 727->732 728->707 736 406446-406449 730->736 737 40645e-406474 SHGetSpecialFolderLocation 730->737 731->728 734 4064a5-4064ab lstrcatW 731->734 732->724 733->731 734->728 736->737 740 40644b-406452 736->740 741 406476-40648d SHGetPathFromIDListW CoTaskMemFree 737->741 742 40648f 737->742 743 40645a-40645c 740->743 741->724 741->742 742->725 743->724 743->737
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(Execute: ,00002000), ref: 0040641D
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(Execute: ,00002000,00000000,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,?,00405359,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000), ref: 00406430
                                                                                                                                                                                    • SHGetSpecialFolderLocation.SHELL32(00405359,0042F1FB,00000000,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,?,00405359,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000), ref: 0040646C
                                                                                                                                                                                    • SHGetPathFromIDListW.SHELL32(0042F1FB,Execute: ), ref: 0040647A
                                                                                                                                                                                    • CoTaskMemFree.OLE32(0042F1FB), ref: 00406485
                                                                                                                                                                                    • lstrcatW.KERNEL32(Execute: ,\Microsoft\Internet Explorer\Quick Launch), ref: 004064AB
                                                                                                                                                                                    • lstrlenW.KERNEL32(Execute: ,00000000,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,?,00405359,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000), ref: 00406503
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
                                                                                                                                                                                    • String ID: Execute: $Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                    • API String ID: 717251189-2797048426
                                                                                                                                                                                    • Opcode ID: 412c271bb9d070f278564469311d6f605cf1b48e62db3e13451b1dc2679c3c4f
                                                                                                                                                                                    • Instruction ID: deb4280fb9253f119c0dee44fead77f8699473dbe43bed35a1e393a154a8df3c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 412c271bb9d070f278564469311d6f605cf1b48e62db3e13451b1dc2679c3c4f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 87612371A00115AADF209F64DC44BAE37A5EF45318F22803FE907B62D0D77D9AA1C75E
                                                                                                                                                                                    Function 00402EDD Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 744 402edd-402f2b GetTickCount GetModuleFileNameW call 405db0 747 402f37-402f65 call 4062ba call 405bdb call 4062ba GetFileSize 744->747 748 402f2d-402f32 744->748 756 403052-403060 call 402e79 747->756 757 402f6b 747->757 749 40310f-403113 748->749 763 403062-403065 756->763 764 4030b5-4030ba 756->764 759 402f70-402f87 757->759 761 402f89 759->761 762 402f8b-402f94 call 403331 759->762 761->762 770 402f9a-402fa1 762->770 771 4030bc-4030c4 call 402e79 762->771 766 403067-40307f call 403347 call 403331 763->766 767 403089-4030b3 GlobalAlloc call 403347 call 403116 763->767 764->749 766->764 792 403081-403087 766->792 767->764 790 4030c6-4030d7 767->790 775 402fa3-402fb7 call 405d6b 770->775 776 40301d-403021 770->776 771->764 781 40302b-403031 775->781 795 402fb9-402fc0 775->795 780 403023-40302a call 402e79 776->780 776->781 780->781 787 403040-40304a 781->787 788 403033-40303d call 406787 781->788 787->759 791 403050 787->791 788->787 797 4030d9 790->797 798 4030df-4030e4 790->798 791->756 792->764 792->767 795->781 796 402fc2-402fc9 795->796 796->781 800 402fcb-402fd2 796->800 797->798 801 4030e5-4030eb 798->801 800->781 802 402fd4-402fdb 800->802 801->801 803 4030ed-403108 SetFilePointer call 405d6b 801->803 802->781 804 402fdd-402ffd 802->804 807 40310d 803->807 804->764 806 403003-403007 804->806 808 403009-40300d 806->808 809 40300f-403017 806->809 807->749 808->791 808->809 809->781 810 403019-40301b 809->810 810->781
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00402EEE
                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,004E7000,00002000,?,00000006,00000008,0000000A), ref: 00402F0A
                                                                                                                                                                                      • Part of subcall function 00405DB0: GetFileAttributesW.KERNEL32(004E7000,00402F1D,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                      • Part of subcall function 00405DB0: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,004EB000,00000000,004D7000,004D7000,004E7000,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F56
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004030B5
                                                                                                                                                                                    • Null, xrefs: 00402FD4
                                                                                                                                                                                    • soft, xrefs: 00402FCB
                                                                                                                                                                                    • Inst, xrefs: 00402FC2
                                                                                                                                                                                    • Error launching installer, xrefs: 00402F2D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                                                                                                    • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                                                                                                    • API String ID: 4283519449-527102705
                                                                                                                                                                                    • Opcode ID: 6fdf7a3c576b274adc95fc68e3ac1b8cc101307f87f608dfe476064d1f7918cb
                                                                                                                                                                                    • Instruction ID: d807cc789e5c0b6659aec278a7977cb1897ccc82e3fedab9e592eb30a9b28e48
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6fdf7a3c576b274adc95fc68e3ac1b8cc101307f87f608dfe476064d1f7918cb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 23511671901205ABDB20AF61DD85B9F7FACEB0431AF20403BF914B62D5C7789E818B9D
                                                                                                                                                                                    Function 6EE121CC Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 811 6ee121cc-6ee121e9 812 6ee121ee-6ee121fb 811->812 813 6ee1221d 812->813 814 6ee121fd-6ee1221b 812->814 813->812 815 6ee1221f-6ee12287 ??2@YAPAXI@Z memset ??2@YAPAXI@Z memset _wsetlocale call 6ee13681 813->815 814->813 818 6ee1228c-6ee12294 815->818 819 6ee122f4 818->819 820 6ee12296-6ee1229a 818->820 822 6ee122f9-6ee12306 call 6ee136d0 819->822 820->819 821 6ee1229c-6ee1229e 820->821 821->819 824 6ee122a0-6ee122a2 821->824 827 6ee12336-6ee12339 822->827 828 6ee12308-6ee1230f 822->828 824->819 826 6ee122a4-6ee122af call 6ee07b30 824->826 826->819 835 6ee122b1-6ee122b8 call 6ee07bd7 826->835 832 6ee12369-6ee1236c 827->832 833 6ee1233b-6ee12342 827->833 830 6ee12311-6ee12313 828->830 831 6ee12325-6ee12333 memset ??3@YAXPAX@Z 828->831 836 6ee12316-6ee1231f 830->836 831->827 837 6ee12344-6ee12346 833->837 838 6ee12358-6ee12366 memset ??3@YAXPAX@Z 833->838 835->819 844 6ee122ba-6ee122c2 call 6ee07b97 835->844 836->836 840 6ee12321-6ee12323 836->840 841 6ee12349-6ee12352 837->841 838->832 840->831 841->841 843 6ee12354-6ee12356 841->843 843->838 847 6ee122c4-6ee122ce call 6ee13659 844->847 848 6ee122eb-6ee122ef 844->848 847->848 852 6ee122d0-6ee122d5 847->852 848->819 850 6ee122f1-6ee122f2 848->850 850->822 852->848 853 6ee122d7-6ee122dc 852->853 853->848 854 6ee122de-6ee122e7 853->854 854->848
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE1223A
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1224B
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE12261
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12271
                                                                                                                                                                                    • _wsetlocale.MSVCRT ref: 6EE1227C
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1232B
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,6EE14CE4,00000000,00000000), ref: 6EE12331
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1235E
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000,00000000), ref: 6EE12364
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$_wsetlocale
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 1824925876-2007828011
                                                                                                                                                                                    • Opcode ID: c29b5cb076883c6aac881a1e3300f59644da995e5060cb4b90f8a056baff9241
                                                                                                                                                                                    • Instruction ID: 9bf0f6c974181121b5fa2956e7647c95ded9d26b39eec1ae3c874dcce413255f
                                                                                                                                                                                    • Opcode Fuzzy Hash: c29b5cb076883c6aac881a1e3300f59644da995e5060cb4b90f8a056baff9241
                                                                                                                                                                                    • Instruction Fuzzy Hash: 144113313186025BDB259FA8DC12BEB32EDEF5B708B214429E915DB781EB60D8C1D791
                                                                                                                                                                                    Function 6EE11280 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 136COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE112EF
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE11300
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE11316
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE11326
                                                                                                                                                                                    • _wsetlocale.MSVCRT ref: 6EE11331
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE113A5
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000,?,?,00000000,00000000,00000000), ref: 6EE113AB
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE113D8
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,?,?,00000000,00000000,00000000), ref: 6EE113DE
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$_wsetlocale
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 1824925876-2007828011
                                                                                                                                                                                    • Opcode ID: 3d698a900de06913f100f0ba435780a8932a19a288f0a934a05015c6e65f9990
                                                                                                                                                                                    • Instruction ID: 511d8399b9455a7fbaa5b22459afd88cd70b931e237989181159fd34a6d56863
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3d698a900de06913f100f0ba435780a8932a19a288f0a934a05015c6e65f9990
                                                                                                                                                                                    • Instruction Fuzzy Hash: A64106727087015BDB119FB9CC46FEB72ACDF85758B26482DF812DB785EB20D8818690
                                                                                                                                                                                    Function 0040176F Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 953 40176f-401794 call 402c41 call 405c06 958 401796-40179c call 4062ba 953->958 959 40179e-4017b0 call 4062ba call 405b8f lstrcatW 953->959 964 4017b5-4017b6 call 40654e 958->964 959->964 968 4017bb-4017bf 964->968 969 4017c1-4017cb call 4065fd 968->969 970 4017f2-4017f5 968->970 978 4017dd-4017ef 969->978 979 4017cd-4017db CompareFileTime 969->979 972 4017f7-4017f8 call 405d8b 970->972 973 4017fd-401819 call 405db0 970->973 972->973 980 40181b-40181e 973->980 981 40188d-4018b6 call 405322 call 403116 973->981 978->970 979->978 982 401820-40185e call 4062ba * 2 call 4062dc call 4062ba call 405920 980->982 983 40186f-401879 call 405322 980->983 995 4018b8-4018bc 981->995 996 4018be-4018ca SetFileTime 981->996 982->968 1015 401864-401865 982->1015 993 401882-401888 983->993 997 402ace 993->997 995->996 999 4018d0-4018db CloseHandle 995->999 996->999 1002 402ad0-402ad4 997->1002 1000 4018e1-4018e4 999->1000 1001 402ac5-402ac8 999->1001 1004 4018e6-4018f7 call 4062dc lstrcatW 1000->1004 1005 4018f9-4018fc call 4062dc 1000->1005 1001->997 1011 401901-4022f2 1004->1011 1005->1011 1016 4022f7-4022fc 1011->1016 1017 4022f2 call 405920 1011->1017 1015->993 1018 401867-401868 1015->1018 1016->1002 1017->1016 1018->983
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000,00000000,"C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,004D3000,?,?,00000031), ref: 004017B0
                                                                                                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,"C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,"C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,00000000,"C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,004D3000,?,?,00000031), ref: 004017D5
                                                                                                                                                                                      • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00002000,00403460,00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,0042F1FB,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,0042F1FB,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                      • Part of subcall function 00405322: lstrcatW.KERNEL32(Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,0040327A,0040327A,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,0042F1FB,771B23A0), ref: 0040537D
                                                                                                                                                                                      • Part of subcall function 00405322: SetWindowTextW.USER32(Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true), ref: 0040538F
                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                    • String ID: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\System.dll
                                                                                                                                                                                    • API String ID: 1941528284-549931956
                                                                                                                                                                                    • Opcode ID: 84cc1ef8d08a74648e49299eefb5f22073aa957ae4a4092afed5da839c45f715
                                                                                                                                                                                    • Instruction ID: c6e8234c1d4b6e0ef99598e998ad36802638a9a190aaa2bd7459f070bf199d51
                                                                                                                                                                                    • Opcode Fuzzy Hash: 84cc1ef8d08a74648e49299eefb5f22073aa957ae4a4092afed5da839c45f715
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9841B471900514BACF107BA5CD45DAF3A79EF05368F20423FF422B10E1DA3C86919A6E
                                                                                                                                                                                    Function 703E1AF0 Relevance: 13.6, APIs: 9, Instructions: 72windowCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 1019 703e1af0-703e1b16 CreateDialogParamW 1020 703e1b1c-703e1b6f GetDlgItem SendMessageW * 2 IsWindow 1019->1020 1021 703e1bc1-703e1bc6 1019->1021 1022 703e1bb5-703e1bc0 1020->1022 1023 703e1b71-703e1b7f 1020->1023 1022->1021 1024 703e1b85-703e1b9a PeekMessageW 1023->1024 1025 703e1b9c-703e1ba3 DispatchMessageW 1024->1025 1026 703e1ba5 WaitMessage 1024->1026 1027 703e1ba7-703e1bb1 IsWindow 1025->1027 1026->1027 1027->1024 1028 703e1bb3-703e1bb4 1027->1028 1028->1022
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDialogParamW.USER32(?,00000068,?,703E19B0,00000000), ref: 703E1B09
                                                                                                                                                                                    • GetDlgItem.USER32(00000000,000003E9), ref: 703E1B24
                                                                                                                                                                                    • SendMessageW.USER32(?,00000407,00000000,00000000), ref: 703E1B45
                                                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000000,?), ref: 703E1B5C
                                                                                                                                                                                    • IsWindow.USER32(?), ref: 703E1B6B
                                                                                                                                                                                    • PeekMessageW.USER32(?,?,00000000,00000000,00000001), ref: 703E1B96
                                                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 703E1BA1
                                                                                                                                                                                    • WaitMessage.USER32 ref: 703E1BA5
                                                                                                                                                                                    • IsWindow.USER32(?), ref: 703E1BAD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$SendWindow$CreateDialogDispatchItemParamPeekWait
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3171392467-0
                                                                                                                                                                                    • Opcode ID: cdbf0e09dcad8798a60ed2de963d74fe9aa5a69fe4915d744fd5909142542f76
                                                                                                                                                                                    • Instruction ID: 77946a0e0f3e31376304e05cab3fe68b2016d9483fd2a5b9b90107fe30426038
                                                                                                                                                                                    • Opcode Fuzzy Hash: cdbf0e09dcad8798a60ed2de963d74fe9aa5a69fe4915d744fd5909142542f76
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C214FB3A40311ABE230DB768CC5F6677ACA788B10F210759F705A7390DAB5ED458BA4
                                                                                                                                                                                    Function 703E1710 Relevance: 12.1, APIs: 8, Instructions: 90memorywindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,?,?,?,00000000,703E1D1A), ref: 703E1725
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,?,?,?,?,00000000,703E1D1A), ref: 703E1735
                                                                                                                                                                                      • Part of subcall function 703E2197: lstrcpyW.KERNEL32(?,771B05F4,771B05F0,703E1746,00000000,?,?,?,?,00000000,703E1D1A), ref: 703E21B6
                                                                                                                                                                                      • Part of subcall function 703E2197: GlobalFree.KERNEL32(771B05F0), ref: 703E21C6
                                                                                                                                                                                    • DestroyIcon.USER32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 703E17B0
                                                                                                                                                                                    • LoadImageW.USER32(00000000,00000000,00000001,00000020,00000020,00000010), ref: 703E17CB
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000067,00000001,00000020,00000020,00000000,00000000,?,?,?,?,00000000,703E1D1A), ref: 703E17F2
                                                                                                                                                                                    • LoadImageW.USER32(00000000,?,?,?,?,00000000), ref: 703E17F9
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 703E1807
                                                                                                                                                                                    • GlobalFree.KERNELBASE(00000000), ref: 703E180A
                                                                                                                                                                                      • Part of subcall function 703E13D0: lstrcmpiW.KERNEL32(?,/TL,00000000,771B05F0,703E1754,00000000,00000000,?,?,?,?,00000000,703E1D1A), ref: 703E13E2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$AllocImageLoad$DestroyHandleIconModulelstrcmpilstrcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 385367520-0
                                                                                                                                                                                    • Opcode ID: 7bb07dfc4165b74ff01092d30d3d0c32ccccad416c05ed3bc4d6918889087ab9
                                                                                                                                                                                    • Instruction ID: 15d416e1989a77ca172f76b04f55690befdb568111f7ea540b1a1d03a71d793b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7bb07dfc4165b74ff01092d30d3d0c32ccccad416c05ed3bc4d6918889087ab9
                                                                                                                                                                                    • Instruction Fuzzy Hash: F0216772640328EAE2309777DCC5F5E76ACA749F50F1003A9FB07D6290D7E4AD014B65
                                                                                                                                                                                    Function 00406624 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
                                                                                                                                                                                    • wsprintfW.USER32 ref: 00406676
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                    • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                    • API String ID: 2200240437-1946221925
                                                                                                                                                                                    • Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                    • Instruction ID: 9fa172bba6ca99a644905d2b6d7ed641771312ed853c50fe9922007c80c3d461
                                                                                                                                                                                    • Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CF0FC70501119A6CF10BB64DD0EF9B365CA700304F10447AA54AF10D1EBB9DB64CB99
                                                                                                                                                                                    Function 00403116 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 166COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountTick$wsprintf
                                                                                                                                                                                    • String ID: ... %d%%
                                                                                                                                                                                    • API String ID: 551687249-2449383134
                                                                                                                                                                                    • Opcode ID: 791be84a4dbf0ce6e2b89685bbb0426d8c944effbebd544c9fcf1485a6d681ca
                                                                                                                                                                                    • Instruction ID: f437ad28db75119c3a693f92e670aa5c34007c7df9fe8e0debaece40423bbb79
                                                                                                                                                                                    • Opcode Fuzzy Hash: 791be84a4dbf0ce6e2b89685bbb0426d8c944effbebd544c9fcf1485a6d681ca
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0D517D71900219DBDB10DF66EA44AAE7BB8AB04356F54417FEC14B72C0CB388A51CBA9
                                                                                                                                                                                    Function 703F18D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544964043.00000000703F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703F0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544917372.00000000703F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545023662.00000000703F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545076782.00000000703F6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703f0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeGlobal
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2979337801-0
                                                                                                                                                                                    • Opcode ID: c4c77ca6422c8f378de97356dabacf92ec89f7b1f114ba9f5b82dee841b07d14
                                                                                                                                                                                    • Instruction ID: 98e3f8283b578cb308f7efde08f3186d4c94e974ede75b3315c4cfbc1c3bc9d7
                                                                                                                                                                                    • Opcode Fuzzy Hash: c4c77ca6422c8f378de97356dabacf92ec89f7b1f114ba9f5b82dee841b07d14
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7251D832D1215DAECF02DFA5E9409AF77BEEB44310B12425DE402A7354D7B1BE8197D1
                                                                                                                                                                                    Function 703F2394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalFree.KERNELBASE(00000000), ref: 703F24D6
                                                                                                                                                                                      • Part of subcall function 703F122C: lstrcpynW.KERNEL32(00000000,?,703F12DF,00000019,703F11BE,-000000A0), ref: 703F123C
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040), ref: 703F245C
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 703F2477
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544964043.00000000703F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703F0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544917372.00000000703F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545023662.00000000703F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545076782.00000000703F6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703f0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4216380887-0
                                                                                                                                                                                    • Opcode ID: e0cf223e18739402f2adaaf35e2c4240524c8c8e6d2c18fad48f8ff38002c7d0
                                                                                                                                                                                    • Instruction ID: da56202a5b61a1e4042fd3d6e2f2a736ba72a9a9d821001c494fd5cc50ada71c
                                                                                                                                                                                    • Opcode Fuzzy Hash: e0cf223e18739402f2adaaf35e2c4240524c8c8e6d2c18fad48f8ff38002c7d0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3141BEB500430EEFD314DF66E844E2EB7BCEB48310B21491EF5468B691EBB4B985DB61
                                                                                                                                                                                    Function 703E1840 Relevance: 7.5, APIs: 5, Instructions: 46COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 703E1873
                                                                                                                                                                                    • UpdateWindow.USER32(?), ref: 703E187B
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 703E188B
                                                                                                                                                                                    • UpdateWindow.USER32(?), ref: 703E1894
                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 703E18AB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$InvalidateRectUpdate$CallProc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3315039345-0
                                                                                                                                                                                    • Opcode ID: f2fd2e45d19986f59a978db019fdd57c06b1c9e9214dc9ed0a5c302a7a59e0a6
                                                                                                                                                                                    • Instruction ID: 48a2068094f4a25bfe438eac2f2914aeb9788b5047668764cfbc5438940a8b85
                                                                                                                                                                                    • Opcode Fuzzy Hash: f2fd2e45d19986f59a978db019fdd57c06b1c9e9214dc9ed0a5c302a7a59e0a6
                                                                                                                                                                                    • Instruction Fuzzy Hash: DF014F73600315ABE620DB77DCC4F6AB3BDE788650F210659F306D3290C6A5EC448B70
                                                                                                                                                                                    Function 703F1777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 703F1B5F: GlobalFree.KERNEL32(?), ref: 703F1DB2
                                                                                                                                                                                      • Part of subcall function 703F1B5F: GlobalFree.KERNEL32(?), ref: 703F1DB7
                                                                                                                                                                                      • Part of subcall function 703F1B5F: GlobalFree.KERNEL32(?), ref: 703F1DBC
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 703F1825
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 703F18AB
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 703F18D0
                                                                                                                                                                                      • Part of subcall function 703F2352: GlobalAlloc.KERNEL32(00000040,?), ref: 703F2383
                                                                                                                                                                                      • Part of subcall function 703F2724: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,703F17F6,00000000), ref: 703F27F4
                                                                                                                                                                                      • Part of subcall function 703F15C6: wsprintfW.USER32 ref: 703F15F4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544964043.00000000703F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703F0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544917372.00000000703F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545023662.00000000703F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545076782.00000000703F6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703f0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$Alloc$Librarywsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3962662361-3916222277
                                                                                                                                                                                    • Opcode ID: 4ed1be609427c12be1bcfd45caabca0f60df7b76265a6bcda791d94db1f4c749
                                                                                                                                                                                    • Instruction ID: 51151f54db97b879c181304b535c3194179f13fa1c89848b7ffa2ebded840594
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4ed1be609427c12be1bcfd45caabca0f60df7b76265a6bcda791d94db1f4c749
                                                                                                                                                                                    • Instruction Fuzzy Hash: D941C17240020DDADB019F74EE85F8E77ACBB05350F154029FA0B9E296DBB8B585CB60
                                                                                                                                                                                    Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Timeout
                                                                                                                                                                                    • String ID: !
                                                                                                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                                                                                                    • Opcode ID: 3fb84e4798befa08d55ab41dd677560f87883767086f956b8989b4831fa63046
                                                                                                                                                                                    • Instruction ID: 1af55e8da281c8781352e9764615226c40e2312ccaecb42dabcb88ef8baddf82
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3fb84e4798befa08d55ab41dd677560f87883767086f956b8989b4831fa63046
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5621C371948209AEEF049FB5DE4AABE7BB4EF84304F14443EF605B61D0D7B889809B19
                                                                                                                                                                                    Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,00000023,00000011,00000002), ref: 0040242F
                                                                                                                                                                                    • RegSetValueExW.KERNEL32(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,00000000,00000011,00000002), ref: 0040246F
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseValuelstrlen
                                                                                                                                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp
                                                                                                                                                                                    • API String ID: 2655323295-4128723618
                                                                                                                                                                                    • Opcode ID: 1af8095f3c9504d2ce798825688ccba5ec512a5a8ae6ba4a7bc3247cfd6f00f3
                                                                                                                                                                                    • Instruction ID: a703f9f7a84a81219e2528cb215680d2185ac4e531b753f9c0eacf199e84c27d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1af8095f3c9504d2ce798825688ccba5ec512a5a8ae6ba4a7bc3247cfd6f00f3
                                                                                                                                                                                    • Instruction Fuzzy Hash: AF118471D00104BEEB10AFA5DE89EAEBA74AB44754F11803BF504F71D1D7F48D409B29
                                                                                                                                                                                    Function 004057F1 Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405834
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405848
                                                                                                                                                                                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040585D
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405867
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3449924974-0
                                                                                                                                                                                    • Opcode ID: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
                                                                                                                                                                                    • Instruction ID: d156970015101e62572267df52bf1fb018b172c5ebb67f048bc3511340661aba
                                                                                                                                                                                    • Opcode Fuzzy Hash: 817c7eeb2e6ade2cce28f3b9d2e4670c9c7091e2f59c9eba6f9578a5288f1365
                                                                                                                                                                                    • Instruction Fuzzy Hash: EB010872D00219EADF009FA1C944BEFBBB8EF14304F00803AE945B6280D7789618CFA9
                                                                                                                                                                                    Function 00405C97 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004062BA: lstrcpynW.KERNEL32(?,?,00002000,00403460,00472EE0,NSIS Error,?,00000006,00000008,0000000A), ref: 004062C7
                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(?,?,00464250,?,00405CAE,00464250,00464250,004DF000,?,771B3420,004059EC,?,004DF000,771B3420,00000000), ref: 00405C48
                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65
                                                                                                                                                                                    • lstrlenW.KERNEL32(00464250,00000000,00464250,00464250,004DF000,?,771B3420,004059EC,?,004DF000,771B3420,00000000), ref: 00405CF0
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(00464250,00464250,00464250,00464250,00464250,00464250,00000000,00464250,00464250,004DF000,?,771B3420,004059EC,?,004DF000,771B3420), ref: 00405D00
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                    • String ID: PBF
                                                                                                                                                                                    • API String ID: 3248276644-3456974464
                                                                                                                                                                                    • Opcode ID: 1236b3014a845ece28ca986cac263987dd07c4e4a123605a37d0802bd6a8cdf3
                                                                                                                                                                                    • Instruction ID: 4e01e145a0ed536ad24acc563e8a85444835dd946e40d448b56664b374cc0476
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1236b3014a845ece28ca986cac263987dd07c4e4a123605a37d0802bd6a8cdf3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 21F0F43500DF6125F626333A1C45AAF2555CE82328B6A057FFC62B12D2DA3C89539D7E
                                                                                                                                                                                    Function 00406188 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExW.KERNEL32(?,?,00000000,00000000,?,00004000,00000002,?,00000000,?,?,Execute: ,?,?,004063FC,80000002), ref: 004061CE
                                                                                                                                                                                    • RegCloseKey.KERNEL32(?,?,004063FC,80000002,Software\Microsoft\Windows\CurrentVersion,Execute: ,Execute: ,Execute: ,00000000,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true), ref: 004061D9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                    • String ID: Execute:
                                                                                                                                                                                    • API String ID: 3356406503-3756222843
                                                                                                                                                                                    • Opcode ID: 7e8f2b507172300fff4d18ea8023ba838134d56d13ff8a7450bb17b0ad457722
                                                                                                                                                                                    • Instruction ID: 8659262355d6ebf2290daf59b07b2549fc881bd87fa0bb5ea6267207f8cb0b09
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7e8f2b507172300fff4d18ea8023ba838134d56d13ff8a7450bb17b0ad457722
                                                                                                                                                                                    • Instruction Fuzzy Hash: 68017C72500209EADF218F51DD09EDB3BB8EF55364F01403AFE16A61A1D378DA64EBA4
                                                                                                                                                                                    Function 00405DDF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00405DFD
                                                                                                                                                                                    • GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,004CB000,0040338D,004DB000,004DF000,004DF000,004DF000,004DF000,004DF000,771B3420,004035D9), ref: 00405E18
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountFileNameTempTick
                                                                                                                                                                                    • String ID: nsa
                                                                                                                                                                                    • API String ID: 1716503409-2209301699
                                                                                                                                                                                    • Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                    • Instruction ID: af8b6ba947558e1b0daa3aed001b6e0f80e178ffca66ecedc63f3e0829e9a41e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 61F03076A00304FBEB009F69ED05E9FB7BCEB95710F10803AE941E7250E6B09A548B64
                                                                                                                                                                                    Function 004058A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00468250,Error launching installer), ref: 004058CC
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 004058D9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Error launching installer, xrefs: 004058B6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                                                                                                    • String ID: Error launching installer
                                                                                                                                                                                    • API String ID: 3712363035-66219284
                                                                                                                                                                                    • Opcode ID: 63fdd641d1b9510881a379fce0cbff5cab58f1c092c5a17148380fd449a2e826
                                                                                                                                                                                    • Instruction ID: 30392a530fa928b09b8412afc6dc4f2cd20664ca8a9f97139eafb5a2ce14b88a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 63fdd641d1b9510881a379fce0cbff5cab58f1c092c5a17148380fd449a2e826
                                                                                                                                                                                    • Instruction Fuzzy Hash: 33E09AB5540609BFEB009B64DD05F7B77ACEB04708F508565BD51F2150EB749C148A79
                                                                                                                                                                                    Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040205D
                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,0042F1FB,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,0042F1FB,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                      • Part of subcall function 00405322: lstrcatW.KERNEL32(Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,0040327A,0040327A,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,0042F1FB,771B23A0), ref: 0040537D
                                                                                                                                                                                      • Part of subcall function 00405322: SetWindowTextW.USER32(Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true), ref: 0040538F
                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 334405425-0
                                                                                                                                                                                    • Opcode ID: 72a5e19f9697d1318c9a310d29b5b60265bfdb2e952e74c10cb73e1909f0eb38
                                                                                                                                                                                    • Instruction ID: 3abd81b96889d1c7eb1cceed2e7b5e281284f1a6e6a9a5ff44b88a827c8e1d1c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 72a5e19f9697d1318c9a310d29b5b60265bfdb2e952e74c10cb73e1909f0eb38
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8821B071D00205AACF20AFA5CE48A9E7A70BF04358F60413BF511B11E0DBBD8981DA6E
                                                                                                                                                                                    Function 00401B77 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalFree.KERNEL32(0095E038), ref: 00401BE7
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00004004), ref: 00401BF9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true, xrefs: 00401B9E, 00401BA4, 00401BBE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocFree
                                                                                                                                                                                    • String ID: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true
                                                                                                                                                                                    • API String ID: 3394109436-569256161
                                                                                                                                                                                    • Opcode ID: 0ee5b69d2cfb3a0a2e0f3aae0319e9b1983c649d140d642359d16bc307d41886
                                                                                                                                                                                    • Instruction ID: 2ffc4b8e8b305263ff1bfe934f744a2e7f0909984677ca7ca3d2d917788d1148
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0ee5b69d2cfb3a0a2e0f3aae0319e9b1983c649d140d642359d16bc307d41886
                                                                                                                                                                                    • Instruction Fuzzy Hash: 52210A76600100ABCB10FF95CE8499E73A8EB48318BA4443FF506F32D0DB78A852DB6D
                                                                                                                                                                                    Function 00402259 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 004065FD: FindFirstFileW.KERNEL32(004DF000,00468298,00464250,00405CE0,00464250,00464250,00000000,00464250,00464250,004DF000,?,771B3420,004059EC,?,004DF000,771B3420), ref: 00406608
                                                                                                                                                                                      • Part of subcall function 004065FD: FindClose.KERNEL32(00000000), ref: 00406614
                                                                                                                                                                                    • lstrlenW.KERNEL32 ref: 00402299
                                                                                                                                                                                    • lstrlenW.KERNEL32(00000000), ref: 004022A4
                                                                                                                                                                                    • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004022CD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindlstrlen$CloseFirstOperation
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1486964399-0
                                                                                                                                                                                    • Opcode ID: 29d6f0bed4bd2d50b69dd1226e545e03bb95794d8620927361660d91590f24b0
                                                                                                                                                                                    • Instruction ID: edc96df04b91ed766a503f65766f364d086ea8d205cfe5bb15309c141496b913
                                                                                                                                                                                    • Opcode Fuzzy Hash: 29d6f0bed4bd2d50b69dd1226e545e03bb95794d8620927361660d91590f24b0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 57117071900318A6DB10EFF98E4999EB7B8AF04344F50443FB805F72D1D6B8C4419B59
                                                                                                                                                                                    Function 6EE13681 Relevance: 4.5, APIs: 2, Strings: 1, Instructions: 29stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcpynW.KERNEL32(6EE1959C,6EE195A0,6EE137D5,6EE1959C,6EE137D5,?), ref: 6EE136AF
                                                                                                                                                                                    • GlobalFree.KERNELBASE(6EE1959C), ref: 6EE136BF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeGloballstrcpyn
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 1459762280-2007828011
                                                                                                                                                                                    • Opcode ID: 365319c66cdf8b56150fa43f2e8359b912319e1bc16d8684493856e81911711f
                                                                                                                                                                                    • Instruction ID: 45bc30858227a6c8093e32133ed43743121ca214205043bbf5c359f967c7545a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 365319c66cdf8b56150fa43f2e8359b912319e1bc16d8684493856e81911711f
                                                                                                                                                                                    • Instruction Fuzzy Hash: FAF0F831228601DFEB61DFA5D848BDA73E8FB4A745F11842AE461C7750D770E881CFA1
                                                                                                                                                                                    Function 00406745 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064), ref: 00406756
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 0040676B
                                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00406778
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ObjectSingleWait$CodeExitProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2567322000-0
                                                                                                                                                                                    • Opcode ID: 8850f1db5c8bafd25532af3e029db14712012aa3b99a83eba6723ce3b95d358e
                                                                                                                                                                                    • Instruction ID: 2ff090df47ec3168816afe0ece5e8e172b9e43290e206bfe863d37fdb1930cd3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8850f1db5c8bafd25532af3e029db14712012aa3b99a83eba6723ce3b95d358e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 58E09231600118BBDB10AF44CD02E9E7B6ADB44744F114037FA01B6191D6B5AE21AAA8
                                                                                                                                                                                    Function 004015C1 Relevance: 3.1, APIs: 2, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(?,?,00464250,?,00405CAE,00464250,00464250,004DF000,?,771B3420,004059EC,?,004DF000,771B3420,00000000), ref: 00405C48
                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C4D
                                                                                                                                                                                      • Part of subcall function 00405C3A: CharNextW.USER32(00000000), ref: 00405C65
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                      • Part of subcall function 004057F1: CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405834
                                                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,004D3000,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1892508949-0
                                                                                                                                                                                    • Opcode ID: 125bac33416d21a80fc522b842b933099275dd0dd1ea66691da55d5ffdcd1f5d
                                                                                                                                                                                    • Instruction ID: 536d45c59d08a7b21130d9dbd5b0e10796a041e4a40079992e14d28e29d42f71
                                                                                                                                                                                    • Opcode Fuzzy Hash: 125bac33416d21a80fc522b842b933099275dd0dd1ea66691da55d5ffdcd1f5d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2211E231504505EBCF30AFA1CD0159F36A0EF14369B28493BFA45B22F1DB3E8A919B5E
                                                                                                                                                                                    Function 00402484 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 004024B5
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,00000000,00000011,00000002), ref: 00402557
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3356406503-0
                                                                                                                                                                                    • Opcode ID: 8c6ae37f0c00b40db9a7f0b8771259aad396ca2ebfe9c6ecab15c5ec5bd387db
                                                                                                                                                                                    • Instruction ID: 1206e07bb255176646816810ef0290bee69920d7ecde6c9ccbb84b14c6b4306b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8c6ae37f0c00b40db9a7f0b8771259aad396ca2ebfe9c6ecab15c5ec5bd387db
                                                                                                                                                                                    • Instruction Fuzzy Hash: E311A771D10205EBDF14DFA4CA585AE77B4EF44348B20843FE505B72C0D6B89A41EB5E
                                                                                                                                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                    • SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: be076caaca7df3d109edefedbdc7bfa3a965653d784c315eb79774cf5cfe89e5
                                                                                                                                                                                    • Instruction ID: ea42f58d7670a619ed9131e80823b54190387dbc53765a55c310ef4228f9fff3
                                                                                                                                                                                    • Opcode Fuzzy Hash: be076caaca7df3d109edefedbdc7bfa3a965653d784c315eb79774cf5cfe89e5
                                                                                                                                                                                    • Instruction Fuzzy Hash: AF0128316202109BE7095B789E04B2A3798E710315F10463FF855F62F1D6B8CC829B5C
                                                                                                                                                                                    Function 703E18C0 Relevance: 3.0, APIs: 2, Instructions: 27windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,00000402,?,00000000), ref: 703E18E9
                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 703E1902
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CallMessageProcSendWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3536146835-0
                                                                                                                                                                                    • Opcode ID: d098cba116f8f82bdef2c0bbfaa6cd890bccf08b858ee2fe219190de13ae21fb
                                                                                                                                                                                    • Instruction ID: ba74bd7898e17a38c4af35467b7bf0e863d7fc2edb02fdf5192138b1b3bc83db
                                                                                                                                                                                    • Opcode Fuzzy Hash: d098cba116f8f82bdef2c0bbfaa6cd890bccf08b858ee2fe219190de13ae21fb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 94E01C72600210ABD220DB66DD88F5BBBBEEB88660F114A19F70593290D2B0AC01C761
                                                                                                                                                                                    Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 00401E67
                                                                                                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00401E72
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$EnableShow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1136574915-0
                                                                                                                                                                                    • Opcode ID: 87f8232cb56b7a5d6ce9856bfa50bd061077f9975d19b3a51d23438555d97d86
                                                                                                                                                                                    • Instruction ID: fc8c1c2e7d4a5a8f9e35cd12a8e681b154a8316ed36a6d041aa31def844ca7e2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 87f8232cb56b7a5d6ce9856bfa50bd061077f9975d19b3a51d23438555d97d86
                                                                                                                                                                                    • Instruction Fuzzy Hash: 61E01A72E082008FE724ABA5AA495AD77B4EB90365B20847FE211F11D1DA7858819F6A
                                                                                                                                                                                    Function 703E1910 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendDlgItemMessageW.USER32(?,000003EB,0000000C,00000000,?), ref: 703E192F
                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?,?), ref: 703E1947
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CallItemMessageProcSendWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2540570209-0
                                                                                                                                                                                    • Opcode ID: dac1c6ec8f98defbe7a681c1ed3280b1bd8d5d22358b6321669c3c11a902128b
                                                                                                                                                                                    • Instruction ID: 86a3403e4763983801323708dfbb33f35b4de11d8aaea6acb43377fcc79dc1e4
                                                                                                                                                                                    • Opcode Fuzzy Hash: dac1c6ec8f98defbe7a681c1ed3280b1bd8d5d22358b6321669c3c11a902128b
                                                                                                                                                                                    • Instruction Fuzzy Hash: D1E0ED77A04210BBE120DB56DC88F8BB7BDEBCDB21F114A19F64593291C2B0AC4587A1
                                                                                                                                                                                    Function 00406694 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,00000020,?,00403401,0000000A), ref: 004066A6
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 004066C1
                                                                                                                                                                                      • Part of subcall function 00406624: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040663B
                                                                                                                                                                                      • Part of subcall function 00406624: wsprintfW.USER32 ref: 00406676
                                                                                                                                                                                      • Part of subcall function 00406624: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040668A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2547128583-0
                                                                                                                                                                                    • Opcode ID: 2c450699f5e5c6ed5e41876474a170b73f17b01a65d70064c3ee9ca103cb2d45
                                                                                                                                                                                    • Instruction ID: 155b38c425e345f43688a0673e138072f65e923c2ca09dacbbabb210d44f0fbf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2c450699f5e5c6ed5e41876474a170b73f17b01a65d70064c3ee9ca103cb2d45
                                                                                                                                                                                    • Instruction Fuzzy Hash: 50E0863250461156D31197709E4487762EC9B95750307483EF946F2091DB399C36A66D
                                                                                                                                                                                    Function 00405DB0 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(004E7000,00402F1D,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AttributesCreate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 415043291-0
                                                                                                                                                                                    • Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                                                    • Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
                                                                                                                                                                                    • Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15
                                                                                                                                                                                    Function 00405D8B Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(?,?,00405990,?,?,00000000,00405B66,?,?,?,?), ref: 00405D90
                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405DA4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                    • Instruction ID: fe430eedc911e7c92ce83e5abbc00e08444bb0e311ec0623c818608bfa408f6d
                                                                                                                                                                                    • Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1BD0C972504420ABD2512728AF0C89BBB95DB542717028B39FAA9A22B0CB304C568A98
                                                                                                                                                                                    Function 0040586E Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00403382,004DF000,004DF000,004DF000,004DF000,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 00405874
                                                                                                                                                                                    • GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405882
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1375471231-0
                                                                                                                                                                                    • Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                                                    • Instruction ID: b5712d1dc6f90c91938fb9970759bfac189bcafefc635788875416fd9ee2894b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2FC04C712155019ED7546F619F08B277A50EB60781F158839A946E10E0DB348465ED2D
                                                                                                                                                                                    Function 703F1272 Relevance: 2.5, APIs: 2, Instructions: 22memorystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,?,703F155E,?), ref: 703F1288
                                                                                                                                                                                    • lstrcpynW.KERNEL32(00000004,?,?,703F155E,?), ref: 703F129E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544964043.00000000703F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703F0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544917372.00000000703F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545023662.00000000703F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545076782.00000000703F6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703f0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocGloballstrcpyn
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3204721840-0
                                                                                                                                                                                    • Opcode ID: c277e30a3c3bbf95a43bb0884085c257b9adbe727b896a45b601fd9962ec20fc
                                                                                                                                                                                    • Instruction ID: 047e5d75892bc58118dbba0e7600f874f490d4d5244b81e19ffa806e569ba792
                                                                                                                                                                                    • Opcode Fuzzy Hash: c277e30a3c3bbf95a43bb0884085c257b9adbe727b896a45b601fd9962ec20fc
                                                                                                                                                                                    • Instruction Fuzzy Hash: DEF09276100202EFD700CFA9E844F55BBECFB08301B108556EA45C7360CB70AA00CFA0
                                                                                                                                                                                    Function 00406155 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegCreateKeyExW.KERNEL32(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 0040617E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Create
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                                    • Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                    • Instruction ID: dcb86bc894ab99bc20e37dc8a6176b737b641c0fdee4176656c7f25b47436c56
                                                                                                                                                                                    • Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
                                                                                                                                                                                    • Instruction Fuzzy Hash: 75E0E6B2110109BEEF195F50DD0AD7B375DE704304F01452EFA06D4091E6B5AD315634
                                                                                                                                                                                    Function 00405E62 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,?,?,004032FA,000000FF,00428200,?,00428200,?,?,00000004,00000000), ref: 00405E76
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                    • Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                    • Instruction ID: 8754e0b6f25d564075f0081c534dd79b85a2df0f0bc88b3642164a4a3ec1e455
                                                                                                                                                                                    • Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
                                                                                                                                                                                    • Instruction Fuzzy Hash: FDE0B63221065AAFDF109F95DC00AAB7B6CEB052A0F044437FD59E7150D671EA21DAE4
                                                                                                                                                                                    Function 00405E33 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000004,00000004,00000000,?,?,00403344,00000000,00000000,00403168,?,00000004,00000000,00000000,00000000), ref: 00405E47
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                    • Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                    • Instruction ID: bd732019988057c431ec21c3a2c50b1292625b962aa4d7912315599e48db2a91
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
                                                                                                                                                                                    • Instruction Fuzzy Hash: A9E08C3220021AABCF20AF54DC00FEB3B6CEB05760F004832FD65E6040E230EA219BE8
                                                                                                                                                                                    Function 703F2993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualProtect.KERNEL32(703F505C,00000004,00000040,703F504C), ref: 703F29B1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544964043.00000000703F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703F0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544917372.00000000703F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545023662.00000000703F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545076782.00000000703F6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703f0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                    • Opcode ID: b3b179b49a53a5c397d1283e9d627d4171cdf3019ff28287592f5f92fae6a698
                                                                                                                                                                                    • Instruction ID: bdb021edc188dda60383ea0c0535b6f8b62698eeec2ab22f7d10035fa1091369
                                                                                                                                                                                    • Opcode Fuzzy Hash: b3b179b49a53a5c397d1283e9d627d4171cdf3019ff28287592f5f92fae6a698
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8EF0A5F2501286EEC350CF2A8C44F093FE8B708305F21452BE388D6260EB747644CB95
                                                                                                                                                                                    Function 00406127 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,004061B5,?,00000000,?,?,Execute: ,?), ref: 0040614B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                    • Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                    • Instruction ID: b908bd292ce434c6339c018d18c1e3bfafdd2f7559b63d477f04a141d62eba1a
                                                                                                                                                                                    • Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 94D0123214020DFBDF119E909D01FAB775DAB08350F014426FE06A9191D776D530AB14
                                                                                                                                                                                    Function 00404231 Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,?,00000000), ref: 0040424B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemText
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3367045223-0
                                                                                                                                                                                    • Opcode ID: fbaad98f197721c3337b4145f660dfcccd1462cc21775b0cc75c291dee439915
                                                                                                                                                                                    • Instruction ID: 58c8b0ee816a9f079cb4560b894257bfb9dfa06490f5d5235509ae25e2c95a64
                                                                                                                                                                                    • Opcode Fuzzy Hash: fbaad98f197721c3337b4145f660dfcccd1462cc21775b0cc75c291dee439915
                                                                                                                                                                                    • Instruction Fuzzy Hash: 79C04C76148300BFD681BB55CC42F1FB79DEF94315F44C52EB59CA11E2C63A84309B26
                                                                                                                                                                                    Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040428F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: df53f0ac968c80b2573d185eedc41732bb4466fa0b660203ffcc6a72f8356a2c
                                                                                                                                                                                    • Instruction ID: 539d97cecbd0a6245bb22c05259f77f590d4a0b0d5c0f28d123e3a53dcb21da8
                                                                                                                                                                                    • Opcode Fuzzy Hash: df53f0ac968c80b2573d185eedc41732bb4466fa0b660203ffcc6a72f8356a2c
                                                                                                                                                                                    • Instruction Fuzzy Hash: C6C09BB27403007BDE11CB909E49F1777545790740F18447DB348F51E0D6B4D490D61C
                                                                                                                                                                                    Function 00403347 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,004030A4,?,?,00000006,00000008,0000000A), ref: 00403355
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                                                    • Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                    • Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
                                                                                                                                                                                    • Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
                                                                                                                                                                                    • Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D
                                                                                                                                                                                    Function 00404266 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(00000028,?,00000001,00404091), ref: 00404274
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: 916ba585e608d634958797641490031ceb4b368d387894d1e0aab50b7c43ae9e
                                                                                                                                                                                    • Instruction ID: 80b1fa8ab317a3fb83bf0bb9afc1fcb2ede285a6b5c9b7890d3d6fe7da01b763
                                                                                                                                                                                    • Opcode Fuzzy Hash: 916ba585e608d634958797641490031ceb4b368d387894d1e0aab50b7c43ae9e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 69B092361C4600AAEE118B50DE49F497A62E7A4702F008138B244640B0CAB200E0DB09
                                                                                                                                                                                    Function 00404253 Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • KiUserCallbackDispatcher.NTDLL(?,0040402A), ref: 0040425D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CallbackDispatcherUser
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2492992576-0
                                                                                                                                                                                    • Opcode ID: ea082ecd867c03a11dfd78164402b3a9c9d6e2ba96aa803d9d5c73deeff3904d
                                                                                                                                                                                    • Instruction ID: 6a6b83ba7992c3eb947fe44f0607646ae594aefa1fc7371f7d6a783f6fb0b7b0
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea082ecd867c03a11dfd78164402b3a9c9d6e2ba96aa803d9d5c73deeff3904d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4EA002754445019BCF015B50DF098057A61F7A4701B114479B5555103596314860EB19
                                                                                                                                                                                    Function 00401F06 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,0042F1FB,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                      • Part of subcall function 00405322: lstrlenW.KERNEL32(0040327A,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,0042F1FB,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                      • Part of subcall function 00405322: lstrcatW.KERNEL32(Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,0040327A,0040327A,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,0042F1FB,771B23A0), ref: 0040537D
                                                                                                                                                                                      • Part of subcall function 00405322: SetWindowTextW.USER32(Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true), ref: 0040538F
                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                      • Part of subcall function 00405322: SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                      • Part of subcall function 004058A3: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00468250,Error launching installer), ref: 004058CC
                                                                                                                                                                                      • Part of subcall function 004058A3: CloseHandle.KERNEL32(?), ref: 004058D9
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401F4D
                                                                                                                                                                                      • Part of subcall function 00406745: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406756
                                                                                                                                                                                      • Part of subcall function 00406745: GetExitCodeProcess.KERNEL32(?,?), ref: 00406778
                                                                                                                                                                                      • Part of subcall function 00406201: wsprintfW.USER32 ref: 0040620E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2972824698-0
                                                                                                                                                                                    • Opcode ID: 3aa13868f7f5c1765abe0e1dc298aed27b0d2a36c3fd960b5cd9165ff5b25e78
                                                                                                                                                                                    • Instruction ID: de14e59f9d228f74b736d218c43509b70c65838e16dc92f6af981b675cb94e68
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3aa13868f7f5c1765abe0e1dc298aed27b0d2a36c3fd960b5cd9165ff5b25e78
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0EF0F0329090219BDB20FBA1898859E72A49F44318B2441BBF902B20D1CBBC0E509AAE
                                                                                                                                                                                    Function 703F121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,703F123B,?,703F12DF,00000019,703F11BE,-000000A0), ref: 703F1225
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544964043.00000000703F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703F0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544917372.00000000703F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545023662.00000000703F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545076782.00000000703F6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703f0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocGlobal
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3761449716-0
                                                                                                                                                                                    • Opcode ID: 8f1c45348a608d2901c9a96cede51222058f8535ee6604549c0b8e8429d51fee
                                                                                                                                                                                    • Instruction ID: a2a1f0d67ec7956b3dfe93d87191426deac3fcc915c1a656adebb6f2ea615a29
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f1c45348a608d2901c9a96cede51222058f8535ee6604549c0b8e8429d51fee
                                                                                                                                                                                    • Instruction Fuzzy Hash: 79B01272A00001FFFE008B65CC06F34325CE700301F144000F700C0190C9606900C534

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 00404C9E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404CB6
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404CC1
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404D0B
                                                                                                                                                                                    • LoadBitmapW.USER32(0000006E), ref: 00404D1E
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,00405296), ref: 00404D37
                                                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404D4B
                                                                                                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404D5D
                                                                                                                                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404D73
                                                                                                                                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404D7F
                                                                                                                                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404D91
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00404D94
                                                                                                                                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404DBF
                                                                                                                                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404DCB
                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404E61
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404E8C
                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404EA0
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404ECF
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404EDD
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 00404EEE
                                                                                                                                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404FEB
                                                                                                                                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00405050
                                                                                                                                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405065
                                                                                                                                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405089
                                                                                                                                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004050A9
                                                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 004050BE
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 004050CE
                                                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405147
                                                                                                                                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 004051F0
                                                                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004051FF
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040521F
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 0040526D
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00405278
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 0040527F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                    • String ID: $M$N
                                                                                                                                                                                    • API String ID: 1638840714-813528018
                                                                                                                                                                                    • Opcode ID: 21818fa51d6b588aeca07265a4b81a3a3b935111f3ce34767c97606af49217ff
                                                                                                                                                                                    • Instruction ID: 350e9793ba1948ff1935c4af006ad7833f39553502bf8ecbcf91bc97059cc7bb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 21818fa51d6b588aeca07265a4b81a3a3b935111f3ce34767c97606af49217ff
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4C0281B0900209AFDB10DFA4DD85AAE7BB5FB44314F10417AF614BA2E1C7799D92CF58
                                                                                                                                                                                    Function 00404722 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404771
                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 0040479B
                                                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0040484C
                                                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404857
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(Execute: ,00450248,00000000,?,?), ref: 00404889
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,Execute: ), ref: 00404895
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 004048A7
                                                                                                                                                                                      • Part of subcall function 00405904: GetDlgItemTextW.USER32(?,?,00002000,004048DE), ref: 00405917
                                                                                                                                                                                      • Part of subcall function 0040654E: CharNextW.USER32(?,*?|<>/":,00000000,00000000,004DF000,004DF000,004CB000,0040336A,004DF000,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
                                                                                                                                                                                      • Part of subcall function 0040654E: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
                                                                                                                                                                                      • Part of subcall function 0040654E: CharNextW.USER32(?,00000000,004DF000,004DF000,004CB000,0040336A,004DF000,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
                                                                                                                                                                                      • Part of subcall function 0040654E: CharPrevW.USER32(?,?,004DF000,004DF000,004CB000,0040336A,004DF000,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
                                                                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(00440218,?,?,0000040F,?,00440218,00440218,?,00000001,00440218,?,?,000003FB,?), ref: 0040496A
                                                                                                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404985
                                                                                                                                                                                      • Part of subcall function 00404ADE: lstrlenW.KERNEL32(00450248,00450248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
                                                                                                                                                                                      • Part of subcall function 00404ADE: wsprintfW.USER32 ref: 00404B88
                                                                                                                                                                                      • Part of subcall function 00404ADE: SetDlgItemTextW.USER32(?,00450248), ref: 00404B9B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: A$Execute:
                                                                                                                                                                                    • API String ID: 2624150263-52275644
                                                                                                                                                                                    • Opcode ID: d9ff5aa2ff53ffbe0c3723e23dc604a8a31f393e15f5d8e1a009d79f52351d08
                                                                                                                                                                                    • Instruction ID: aec38ac33e169681c2ce75898e964705c21f391e9d8eef84a8e49708370a7c65
                                                                                                                                                                                    • Opcode Fuzzy Hash: d9ff5aa2ff53ffbe0c3723e23dc604a8a31f393e15f5d8e1a009d79f52351d08
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CA173B1900208ABDB11AFA5CD45AAF77B8EF84314F10847BF605B62D1D77C99418F6D
                                                                                                                                                                                    Function 6EE07DA3 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 267encryptionCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000040,00000000,76787AD0,00000000,?,?,?,?,?,?,?,6EE12E09), ref: 6EE07E9E
                                                                                                                                                                                    • CryptProtectData.CRYPT32(?,00000000,?,00000000,00000000,?,?), ref: 6EE07EEA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@CryptDataProtect
                                                                                                                                                                                    • String ID: .n$.n
                                                                                                                                                                                    • API String ID: 2158863181-401145809
                                                                                                                                                                                    • Opcode ID: a9ba89a69aeca1182c25736537819db71ad534a21ac8c2dea76b472caaa247bb
                                                                                                                                                                                    • Instruction ID: 8c90ff39ddb690eb6ed6d4e56aba8de5da6071abb141e781a0a1bd00da357613
                                                                                                                                                                                    • Opcode Fuzzy Hash: a9ba89a69aeca1182c25736537819db71ad534a21ac8c2dea76b472caaa247bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: E6811732A152579FDB41AFF898645EA7BE5AF46318B30896DD850E73C0EB30CE55C780
                                                                                                                                                                                    Function 6EE0927A Relevance: 5.8, Strings: 3, Instructions: 2023COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: @$on$on
                                                                                                                                                                                    • API String ID: 0-3361117837
                                                                                                                                                                                    • Opcode ID: b3a96dbbccc979371c334490cf43f49a4cd1b1589d8cc202af50ff8f346f829c
                                                                                                                                                                                    • Instruction ID: 4d14ebd33c508e8b2e41d95f034ef7b6d1df7e565f8da1f67d6b907b8d3886af
                                                                                                                                                                                    • Opcode Fuzzy Hash: b3a96dbbccc979371c334490cf43f49a4cd1b1589d8cc202af50ff8f346f829c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 95E2D173E106398B9B94DAE58C8409FF7B3AFC8254B1B8365CD28B7340D674AD52DAC4
                                                                                                                                                                                    Function 6EE0EB20 Relevance: 3.0, APIs: 2, Instructions: 20timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemTime.KERNEL32(?), ref: 6EE0EB2A
                                                                                                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 6EE0EB38
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Time$System$File
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2838179519-0
                                                                                                                                                                                    • Opcode ID: 01c35ab9372170b409d8b07cdd96c696ff236f4b0d9efcf17f2321c02aa77ff2
                                                                                                                                                                                    • Instruction ID: 2fce3a7039c93190edfbfd57bdaa2413d7535fcbbc80ac8c10c096629f0c50e2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 01c35ab9372170b409d8b07cdd96c696ff236f4b0d9efcf17f2321c02aa77ff2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 15E0E675A0010D9BCF00DFE5D446CCF7BFC9B4424CF0404559505D3144E730D6868B91
                                                                                                                                                                                    Function 6EE07CE9 Relevance: 1.6, APIs: 1, Instructions: 81encryptionCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CryptUnprotectData.CRYPT32(00000000,00000000,00000000,00000000,00000000,00000001,?), ref: 6EE07D58
                                                                                                                                                                                      • Part of subcall function 6EE07C5A: ??2@YAPAXI@Z.MSVCRT(?,00000000,?,6EE07F18,?,?,?,?,?,?,?,?,6EE12E09), ref: 6EE07C6D
                                                                                                                                                                                      • Part of subcall function 6EE07C5A: memcpy.MSVCRT(00000000,6EE07F18,?,?,6EE07F18,?,?,?,?,?,?,?,?,6EE12E09), ref: 6EE07C7C
                                                                                                                                                                                      • Part of subcall function 6EE07C34: LocalFree.KERNEL32(?,6EE07F62,?,?,?,?,?,?,?,?,?,?,6EE12E09), ref: 6EE07C4F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@CryptDataFreeLocalUnprotectmemcpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4061794698-0
                                                                                                                                                                                    • Opcode ID: 3ce673535309200ebc68f312a030e4dae698f7cdb0ba4ed2634b6011e6f3cef5
                                                                                                                                                                                    • Instruction ID: 285df40a588907d5a8829f0b118ed860ece9579dbb2288ffa42eb81915d63b8b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ce673535309200ebc68f312a030e4dae698f7cdb0ba4ed2634b6011e6f3cef5
                                                                                                                                                                                    • Instruction Fuzzy Hash: C0215872A2020AAFDB40EFE9C8D04EEB7B8EB45314B21447AEA14E3390D3709D554791
                                                                                                                                                                                    Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1974802433-0
                                                                                                                                                                                    • Opcode ID: 54b460b755f9bf27e46ac1d39a8a1124328dc74cebdc85c095498b08f8838b6a
                                                                                                                                                                                    • Instruction ID: 11d43fc069a5ea90b0fea77c2c23c6da8a8dfc92bb9fdb714ff4c9b8b345b962
                                                                                                                                                                                    • Opcode Fuzzy Hash: 54b460b755f9bf27e46ac1d39a8a1124328dc74cebdc85c095498b08f8838b6a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9BF08271A14104EFDB00EBA4DA499ADB378EF04314F6045BBF515F21D1DBB45D909B2A
                                                                                                                                                                                    Function 6EE08F7D Relevance: 1.4, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: P
                                                                                                                                                                                    • API String ID: 0-3110715001
                                                                                                                                                                                    • Opcode ID: ce22ebb969888d842e3321c91cd8f61582bb63a7135b62b350ac62c618eb0426
                                                                                                                                                                                    • Instruction ID: 0023bef4491a7dfc1e643da010044f810ad844043eb38a1b7b10b5374674be69
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce22ebb969888d842e3321c91cd8f61582bb63a7135b62b350ac62c618eb0426
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5561C172D10229DFDB08CF89D88459DF7B6EF88314F5686AAC9156B351C7B0AA42CF84
                                                                                                                                                                                    Function 6EE0AF1C Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID: h
                                                                                                                                                                                    • API String ID: 0-2439710439
                                                                                                                                                                                    • Opcode ID: 55f1aa113caf028c0dd94ad521d7a5ad700ce950304b9e831ec73daea2021cf6
                                                                                                                                                                                    • Instruction ID: f02a57efbbbe3ec56073ed6816f6e1077794379305cc76a0af73a720816f65d4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 55f1aa113caf028c0dd94ad521d7a5ad700ce950304b9e831ec73daea2021cf6
                                                                                                                                                                                    • Instruction Fuzzy Hash: B141CF70915B108FC36CCF35D1A5962BBE1BF9C314B9299AED19B8B671DB30A844CF44
                                                                                                                                                                                    Function 6EE08561 Relevance: .8, Instructions: 817COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 035cd7b52ccde5ff611de52b9c6b82b3f4e01b30b9272abc3bccdda80b246f7b
                                                                                                                                                                                    • Instruction ID: 99b8d621baed3f9802b0afb0f46ea06b1056e9f50e1c692e0a487dd8b1c57bd1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 035cd7b52ccde5ff611de52b9c6b82b3f4e01b30b9272abc3bccdda80b246f7b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 36622E37E406299BDB50CE9AC8C05CEB3A3AFC821475B82A4CD5867715D6B4BE07DAD0
                                                                                                                                                                                    Function 00406B15 Relevance: .3, Instructions: 334COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                                                                                                                    • Instruction ID: 703def0becceeecb9d8561ea32c53bcab4b84ebc773a8a1d0b412cad538f794c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9639f9c0007cb4c124acbb6985d7f6f1a05031d6bc3fffd11e08744ca1378656
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1EE1797190470ADFDB24CF99C880BAAB7F5FF44305F15852EE497A7291E378AA91CB04
                                                                                                                                                                                    Function 004072EC Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 0e4e8af0329ccb159007ad6c77c0af05cb35f857c46231da8f5d0a1659340364
                                                                                                                                                                                    • Instruction ID: 59779062152899835760f0dc2f5c49596223a290c6efd11eddd93cbc7c663e45
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e4e8af0329ccb159007ad6c77c0af05cb35f857c46231da8f5d0a1659340364
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0FC15831E04219DBDF18CF68C8905EEBBB2BF88314F25866AC85677380D734A942CF95
                                                                                                                                                                                    Function 6EE0ABA9 Relevance: .3, Instructions: 285COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 995b6c5dfa6c539ab0f8eabc496c0aedd97731ef17bf6b7e35e071542f22d4d8
                                                                                                                                                                                    • Instruction ID: c75f591cfb801cbc021bf8ebcc8e83743979b7a0146b3dadc7db7387685c6b6d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 995b6c5dfa6c539ab0f8eabc496c0aedd97731ef17bf6b7e35e071542f22d4d8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 43B16475B04B048FE3A8DEBAD590757F7E2BB88200F51C93D96AAC7B54DA70B416CB40
                                                                                                                                                                                    Function 6EE0A83A Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 945087bf9c835ea0e0556309262576714caf11d0fd398d95ed5f9573df0ebdf8
                                                                                                                                                                                    • Instruction ID: 1549facdb3da2ef312f0f35e80a7d758b58bbbf352054728a81248036cebabae
                                                                                                                                                                                    • Opcode Fuzzy Hash: 945087bf9c835ea0e0556309262576714caf11d0fd398d95ed5f9573df0ebdf8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2841B872D011298FDB18CFB9C98569EF7B2FF8C310F56C169D815BB225D630A9428F94
                                                                                                                                                                                    Function 6EE0840D Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 1655325d0c7da7cf04e546b7a614bec399929f43b2f551752cbc6ad2921aea48
                                                                                                                                                                                    • Instruction ID: 4e07db0e1a6502b93e716c2bb83fb537851114f01c40a73ddb5144a9971faea4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1655325d0c7da7cf04e546b7a614bec399929f43b2f551752cbc6ad2921aea48
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9D31C13BB74A5347CB08CDBCE8C558A33D1E3CB32179A4669CE10C3245D2BADBE18599
                                                                                                                                                                                    Function 6EE08162 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 612ecc4781bd7adc8b8133cb61aaaf50c3e50730a047228a4e069a1ac84bf1ad
                                                                                                                                                                                    • Instruction ID: a6dcb0209f5552d28e68d6e4f3f0930bf650c792fd58f0e4e2cd99f9937f8427
                                                                                                                                                                                    • Opcode Fuzzy Hash: 612ecc4781bd7adc8b8133cb61aaaf50c3e50730a047228a4e069a1ac84bf1ad
                                                                                                                                                                                    • Instruction Fuzzy Hash: EAF0FD22F245320B1B9DAC3D5F2D02A8A864AC885430BC77EED9EEB2DCE854DD2591D5
                                                                                                                                                                                    Function 6EE01378 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID:
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID:
                                                                                                                                                                                    • Opcode ID: 940b92d31a3313092d7a9a12d82719be9bc5d6fe5155e344a382ecfa8c79956d
                                                                                                                                                                                    • Instruction ID: 2b7dc17b2d7114d353e055f655ecdf926e1efc6612c0aad4f5ee8b1d3643742a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 940b92d31a3313092d7a9a12d82719be9bc5d6fe5155e344a382ecfa8c79956d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2DF09A2490E281CCC7498628C0A5B68BE81D7D2102F5DC1ECD2C70BB5AC9A8910DC362
                                                                                                                                                                                    Function 6EE068DC Relevance: 54.5, APIs: 17, Strings: 14, Instructions: 252windowfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,76744C20,?,00000000,?,6EE10947,?,?,?,76744C20), ref: 6EE06907
                                                                                                                                                                                    • GetFileSizeEx.KERNEL32(00000000,?,?,6EE10947,?,?,?,76744C20,?,00000000,?,00000000), ref: 6EE06937
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Failed to skip the offset bytes!,StdUtils::AppendToFile,00040010), ref: 6EE06959
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,00000000,?,00000000), ref: 6EE06963
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000004,00000000,00000000,?,6EE10947,?,?,?,76744C20,?,00000000,?), ref: 6EE069C7
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Failed to seek to the end of output file!,StdUtils::AppendToFile,00040010), ref: 6EE06A0B
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,00000000,?,00000000), ref: 6EE06A1B
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 6EE06A21
                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,00002000,?,00000000), ref: 6EE06AC1
                                                                                                                                                                                    • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 6EE06AE9
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Failed to read from source file!,StdUtils::AppendToFile,00040010), ref: 6EE06B4F
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,00000000,?,00000000), ref: 6EE06B5F
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 6EE06B65
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Failed to open output file for writing!,StdUtils::AppendToFile,00040010), ref: 6EE06B94
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,6EE10947,?,?,?,76744C20,?,00000000,?,00000000), ref: 6EE06BA4
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Failed to open source file for reading!,StdUtils::AppendToFile,00040010), ref: 6EE06BD0
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,6EE10947,?,?,?,76744C20,?,00000000,?,00000000), ref: 6EE06BE0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Failed to write to output file!, xrefs: 6EE06B30
                                                                                                                                                                                    • StdUtils::AppendToFile, xrefs: 6EE06B2B
                                                                                                                                                                                    • Failed to get size of source file!, xrefs: 6EE06953
                                                                                                                                                                                    • StdUtils::AppendToFile, xrefs: 6EE06B89
                                                                                                                                                                                    • StdUtils::AppendToFile, xrefs: 6EE06A00
                                                                                                                                                                                    • Failed to open source file for reading!, xrefs: 6EE06BCA
                                                                                                                                                                                    • StdUtils::AppendToFile, xrefs: 6EE06B44
                                                                                                                                                                                    • StdUtils::AppendToFile, xrefs: 6EE069B0
                                                                                                                                                                                    • StdUtils::AppendToFile, xrefs: 6EE0694E
                                                                                                                                                                                    • Failed to skip the offset bytes!, xrefs: 6EE069B5
                                                                                                                                                                                    • StdUtils::AppendToFile, xrefs: 6EE06BC5
                                                                                                                                                                                    • Failed to read from source file!, xrefs: 6EE06B49
                                                                                                                                                                                    • Failed to seek to the end of output file!, xrefs: 6EE06A05
                                                                                                                                                                                    • Failed to open output file for writing!, xrefs: 6EE06B8E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseHandle$FileMessage$Create$ReadSizeWrite
                                                                                                                                                                                    • String ID: Failed to get size of source file!$Failed to open output file for writing!$Failed to open source file for reading!$Failed to read from source file!$Failed to seek to the end of output file!$Failed to skip the offset bytes!$Failed to write to output file!$StdUtils::AppendToFile$StdUtils::AppendToFile$StdUtils::AppendToFile$StdUtils::AppendToFile$StdUtils::AppendToFile$StdUtils::AppendToFile$StdUtils::AppendToFile
                                                                                                                                                                                    • API String ID: 724864522-2262125740
                                                                                                                                                                                    • Opcode ID: 9bac426f412e7fe0325e6f135c8e349839e12c927118297b44ba9b2856e62d93
                                                                                                                                                                                    • Instruction ID: f8f523f3034539d99281165de2f9af03540fa3fea3938655c346bc0cd756c926
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9bac426f412e7fe0325e6f135c8e349839e12c927118297b44ba9b2856e62d93
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7891D4B1568343AFDB10DE90CC80B9A7BF4EB8535CF60092EF59166A50E331C9E99B12
                                                                                                                                                                                    Function 6EE05F17 Relevance: 47.5, APIs: 6, Strings: 21, Instructions: 254windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$Message_snwprintf
                                                                                                                                                                                    • String ID: Running on an unknown windows version v%u.%u!$StdUtils::get_os_friendly_name$Windows 10$Windows 2000$Windows 2000 (Server)$Windows 7$Windows 8$Windows 8.1$Windows NT 4.0$Windows NT 4.0 (Server)$Windows Server 2003$Windows Server 2008$Windows Server 2008 R2$Windows Server 2012$Windows Server 2012 R2$Windows Server 2016$Windows Vista$Windows XP$Windows XP (Server)$Windows XP (x64)$unknown
                                                                                                                                                                                    • API String ID: 3494037109-1940253508
                                                                                                                                                                                    • Opcode ID: 88e3ea5e8238af3bf35440669ce2a958b98f1e6956dc7733d241e38bdf75bfd0
                                                                                                                                                                                    • Instruction ID: 5edd18336874d03b07c1d8f9fd9273c4d91aaabd2919fddb9251a9788a3ef01a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 88e3ea5e8238af3bf35440669ce2a958b98f1e6956dc7733d241e38bdf75bfd0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3C71E4B261CA456BEB148EA8CC437D6B2D27389720FB5402DE6098F7C1D7B34DC58706
                                                                                                                                                                                    Function 6EE109F0 Relevance: 45.8, APIs: 18, Strings: 8, Instructions: 274COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE10A61
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10A72
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE10A88
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10A99
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE10AAF
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10AC0
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10B11
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,?,00000000,?,00000000,?,00000000), ref: 6EE10B17
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10B49
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,?,00000000,?,00000000,?,00000000), ref: 6EE10B4F
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10B81
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,?,00000000,?,00000000,?,00000000), ref: 6EE10B87
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10C27
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,6EE1473C,?,00000000,?,00000000), ref: 6EE10C2D
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10C5B
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,6EE1473C,?,00000000,?,00000000), ref: 6EE10C61
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10C8F
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,6EE1473C,?,00000000,?,00000000), ref: 6EE10C95
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??3@$??2@
                                                                                                                                                                                    • String ID: 0A$einval$error$fallback$not_found$timeout$unknown$unsupported
                                                                                                                                                                                    • API String ID: 982000662-1868593199
                                                                                                                                                                                    • Opcode ID: e3aeb94c2dc16a38888714fe1cb2430c99454388a143103844c5fb77a99bd161
                                                                                                                                                                                    • Instruction ID: b0e3982845a62b1c4d2830ecc4d50cef80a3f26bdace0715d309c47a3c2b78f1
                                                                                                                                                                                    • Opcode Fuzzy Hash: e3aeb94c2dc16a38888714fe1cb2430c99454388a143103844c5fb77a99bd161
                                                                                                                                                                                    • Instruction Fuzzy Hash: DE81C371218106AF9B119FA8CDA2CFB73AAEB4570C7644429E911DB385F770DDE18B90
                                                                                                                                                                                    Function 6EE10C9F Relevance: 45.7, APIs: 14, Strings: 12, Instructions: 218COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE10D11
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10D21
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE10D37
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10D45
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10D89
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000,00000000,00000000,00000000), ref: 6EE10D8F
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10DC1
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000,00000000,00000000,00000000), ref: 6EE10DC7
                                                                                                                                                                                      • Part of subcall function 6EE07664: calloc.MSVCRT ref: 6EE076AD
                                                                                                                                                                                      • Part of subcall function 6EE07664: GetFileAttributesW.KERNEL32(00000000,00000000), ref: 6EE07738
                                                                                                                                                                                      • Part of subcall function 6EE07664: free.MSVCRT ref: 6EE07746
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10EA0
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,einval,00000000,00000000,00000000,00000000), ref: 6EE10EA6
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10ED7
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000,00000000,00000000), ref: 6EE10EDD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??3@$??2@$AttributesFilecallocfree
                                                                                                                                                                                    • String ID: 0A$InvokeShellVerb: And invalid verb id has been specified!$InvokeShellVerb: Specified file name and/or path is missing!$StdUtils$StdUtils$einval$einval$error$not_found$timeout$unknown$unsupported
                                                                                                                                                                                    • API String ID: 183616607-955769117
                                                                                                                                                                                    • Opcode ID: 94d0abc18a7a2deab4a50046f63990ce0503701c1fc5191f50de2236435dc98e
                                                                                                                                                                                    • Instruction ID: ee167b7cea090c22e1856ef9bebcc24091bb20f4d8bb9d550e86dd3922f62bac
                                                                                                                                                                                    • Opcode Fuzzy Hash: 94d0abc18a7a2deab4a50046f63990ce0503701c1fc5191f50de2236435dc98e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5251257221C6426FDF11AFE9CC96DEB32ACEB46708B24442AF511CB345F76199E28291
                                                                                                                                                                                    Function 703E1000 Relevance: 43.9, APIs: 23, Strings: 2, Instructions: 195stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • BeginPaint.USER32(?,?,?,?,?), ref: 703E1012
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 703E1020
                                                                                                                                                                                    • CreateFontW.GDI32(0000000C,00000007,00000000,00000000,00000190,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,MS SANS SERIF), ref: 703E1040
                                                                                                                                                                                    • wsprintfW.USER32 ref: 703E10B2
                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 703E10BD
                                                                                                                                                                                    • GetTextExtentPoint32W.GDI32(00000000,?,00000004,?), ref: 703E10D2
                                                                                                                                                                                    • CreateBrushIndirect.GDI32 ref: 703E112B
                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 703E113A
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 703E1147
                                                                                                                                                                                    • SetBkColor.GDI32(00000000,00FF0000), ref: 703E114F
                                                                                                                                                                                    • SetTextColor.GDI32(00000000,00FFFFFF), ref: 703E115B
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,00000000,?,?,?), ref: 703E1169
                                                                                                                                                                                    • ExtTextOutW.GDI32(00000000,?,?,00000006,?,?,00000000), ref: 703E119B
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 703E11BE
                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 703E11CF
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 703E11DA
                                                                                                                                                                                    • SetBkColor.GDI32(00000000,00FFFFFF), ref: 703E11E2
                                                                                                                                                                                    • SetTextColor.GDI32(00000000,00FF0000), ref: 703E11EE
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,00000000,?,?,?), ref: 703E11FD
                                                                                                                                                                                    • ExtTextOutW.GDI32(00000000,?,00FFFFFF,00000006,?,?,00000000), ref: 703E122E
                                                                                                                                                                                    • DrawEdge.USER32(00000000,?,00000002,0000000F), ref: 703E123E
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 703E1245
                                                                                                                                                                                    • EndPaint.USER32(?,?,?,?,?), ref: 703E124E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Text$ColorObject$CreateDeleteRect$BrushFillIndirectPaintlstrlen$BeginClientDrawEdgeExtentFontPoint32Selectwsprintf
                                                                                                                                                                                    • String ID: %u%%$MS SANS SERIF
                                                                                                                                                                                    • API String ID: 264781808-3414223049
                                                                                                                                                                                    • Opcode ID: 474362eddf5bae8d85dcc3f801ec8251612ae4547f01eb39fed441eea1c76b4e
                                                                                                                                                                                    • Instruction ID: f95eee3482f63ef25c0f308ee0b28ffef7fc14546762294b841eb5c762bd9f8b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 474362eddf5bae8d85dcc3f801ec8251612ae4547f01eb39fed441eea1c76b4e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D611C72108305AFD350DF66CD88F6BBBBDFB89B51F104A18F68282260D775DD058B66
                                                                                                                                                                                    Function 6EE12C9F Relevance: 42.3, APIs: 17, Strings: 7, Instructions: 261windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE12D10
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12D21
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE12D37
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12D48
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE12D5E
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12D6F
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 6EE12DA1
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 6EE12DB1
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,ProtectStr() was called with bad 'scope' value!,StdUtils,00002010), ref: 6EE12DD8
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12E6B
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,too_long), ref: 6EE12E71
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12EC2
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000), ref: 6EE12EC8
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12EFA
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000), ref: 6EE12F00
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12F32
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000), ref: 6EE12F38
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??3@$??2@$_wcsicmp$Message
                                                                                                                                                                                    • String ID: 0A$ProtectStr() was called with bad 'scope' value!$StdUtils$einval$encr_failed$error$too_long
                                                                                                                                                                                    • API String ID: 42717120-2661074659
                                                                                                                                                                                    • Opcode ID: 9f3ae8cea1c487a7f1cd8c8b7cc9235e36170f0a4a56b6e77f61e50439ad90e1
                                                                                                                                                                                    • Instruction ID: 6da94dec85c38aab7d4cb5cf01fb58c0415087aada88bd53c706e63d21aec1a7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9f3ae8cea1c487a7f1cd8c8b7cc9235e36170f0a4a56b6e77f61e50439ad90e1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 11810472218106AFDF159FE8CC468EB73ADEB1A308725452AF912DB390E730DDD19B90
                                                                                                                                                                                    Function 6EE1236D Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 254COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE123DD
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE123EE
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE12404
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12415
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE1242B
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1243E
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE12454
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12467
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE12480
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12490
                                                                                                                                                                                    • _wsetlocale.MSVCRT ref: 6EE1249B
                                                                                                                                                                                    • _wsplitpath.MSVCRT ref: 6EE124B7
                                                                                                                                                                                      • Part of subcall function 6EE136D0: GlobalAlloc.KERNEL32(00000040,?,6EE1959C,6EE13818,?), ref: 6EE136E6
                                                                                                                                                                                      • Part of subcall function 6EE136D0: lstrcpynW.KERNEL32(00000004,?), ref: 6EE136FC
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12502
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000,?,?,00000000), ref: 6EE1250E
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12542
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000,?,?,00000000), ref: 6EE12548
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12574
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,00000000,?,?,00000000), ref: 6EE1257A
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE125AA
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,00000000,?,?,00000000), ref: 6EE125B0
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE125DE
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,?,00000000), ref: 6EE125E4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$AllocGlobal_wsetlocale_wsplitpathlstrcpyn
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 239455628-2007828011
                                                                                                                                                                                    • Opcode ID: 4fa9c6a2794917ff377e60354e04286f7da6deb9c83782290e7c3bc8e69b4dd0
                                                                                                                                                                                    • Instruction ID: 67918f46532fe2540e42df8c021b23eb5129c37aadf7d2a41cb16b17b0e1158d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4fa9c6a2794917ff377e60354e04286f7da6deb9c83782290e7c3bc8e69b4dd0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9A71C2713186015FDB159FB8CC96FEB32ACDF4A748F154429F906CB786FB60E8808691
                                                                                                                                                                                    Function 004043F0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040448E
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 004044A2
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004044BF
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 004044D0
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004044DE
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004044EC
                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 004044F1
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004044FE
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404513
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 0040456C
                                                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 00404573
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040459E
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004045E1
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 004045EF
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 004045F2
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 0040460B
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040460E
                                                                                                                                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 0040463D
                                                                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 0040464F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                    • String ID: Execute: $N$gC@
                                                                                                                                                                                    • API String ID: 3103080414-2997144788
                                                                                                                                                                                    • Opcode ID: 96cce4fce431ccadf5917f17b99feddee1f1d895ae547b1ae29d71d99e1dfbb5
                                                                                                                                                                                    • Instruction ID: 3402c350d7270d9961c63d8365249516a5ebc70a9ec23ab72cb453283ebd69b0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 96cce4fce431ccadf5917f17b99feddee1f1d895ae547b1ae29d71d99e1dfbb5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7761BEB1900209BFDB009F60DD85EAA7B69FB85305F00843AF705B62D0D77D9961CF99
                                                                                                                                                                                    Function 6EE10EE9 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 236COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE10F5C
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10F6D
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE10F83
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10F94
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE10FAA
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10FBB
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10FE8
                                                                                                                                                                                    • ShellExecuteExW.SHELL32(?), ref: 6EE11050
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 6EE11073
                                                                                                                                                                                      • Part of subcall function 6EE136D0: GlobalAlloc.KERNEL32(00000040,?,6EE1959C,6EE13818,?), ref: 6EE136E6
                                                                                                                                                                                      • Part of subcall function 6EE136D0: lstrcpynW.KERNEL32(00000004,?), ref: 6EE136FC
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 6EE11099
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE110DB
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,error,00000000), ref: 6EE110E1
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1110F
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,error,00000000), ref: 6EE11115
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE11143
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,error,00000000), ref: 6EE11149
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$AllocErrorExecuteGlobalLastShell_snwprintflstrcpyn
                                                                                                                                                                                    • String ID: 0A$error$hProc:%08X$no_wait
                                                                                                                                                                                    • API String ID: 1904936257-3325457250
                                                                                                                                                                                    • Opcode ID: 43b2a93b12f1feb25a3f4b1ab2f0e8ba03f576c88aa050d0f6d3c8b8eedca9a5
                                                                                                                                                                                    • Instruction ID: 2e84db3176dcad254b08167853d9b49808da9168363d5459d061837be60e29a1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 43b2a93b12f1feb25a3f4b1ab2f0e8ba03f576c88aa050d0f6d3c8b8eedca9a5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5771BE71A1420AAFDB14DFE8CC869EF77ADEB08308B24452EE911DB384E770D9818B50
                                                                                                                                                                                    Function 6EE12F45 Relevance: 31.7, APIs: 11, Strings: 7, Instructions: 208windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE12FB6
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12FC7
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE12FDD
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12FEE
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,UnprotectStr() was called with empty 'data' value!,StdUtils,00002010), ref: 6EE1302C
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE130C7
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,too_long,?,00000000,00000000,00000000), ref: 6EE130CD
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE13120
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,decr_failed,?,00000000,00000000,00000000), ref: 6EE13126
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE13152
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,?,00000000,00000000,00000000), ref: 6EE13158
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??3@$??2@$Message
                                                                                                                                                                                    • String ID: 0A$StdUtils$UnprotectStr() was called with empty 'data' value!$decr_failed$einval$error$too_long
                                                                                                                                                                                    • API String ID: 1680242409-2213145905
                                                                                                                                                                                    • Opcode ID: 4a4c472f675dd30dc87583bd07d61ab9d8527acd955ae8a180c57aac8e679b69
                                                                                                                                                                                    • Instruction ID: 3ac76ced6bfc8c4da39e0dc00e4bea8e5fa11de77953c44bcc8651ab3a858937
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4a4c472f675dd30dc87583bd07d61ab9d8527acd955ae8a180c57aac8e679b69
                                                                                                                                                                                    • Instruction Fuzzy Hash: C951F3722185029FDB14AFA8CC8A8EB73E9EB49708726442DF916CB345E770EDC18791
                                                                                                                                                                                    Function 6EE10479 Relevance: 29.9, APIs: 11, Strings: 6, Instructions: 177windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE104ED
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE104FE
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE10514
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10526
                                                                                                                                                                                    • SHFileOperationW.SHELL32(?,00000000,00000000,?,00000000), ref: 6EE1057D
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 6EE105C6
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,?,StdUtils::SHFileMove,00040010), ref: 6EE105E7
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10619
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,ERROR), ref: 6EE1061F
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1064D
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,ERROR), ref: 6EE10653
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$FileMessageOperation_snwprintf
                                                                                                                                                                                    • String ID: 0A$ABORTED$ERROR$Failed with error code: 0x%X$HFn$StdUtils::SHFileMove
                                                                                                                                                                                    • API String ID: 2646227453-2368322028
                                                                                                                                                                                    • Opcode ID: 4e34901fef76dc3a276cf932e297e8f904258c787cfde96246279837eb06e636
                                                                                                                                                                                    • Instruction ID: 1b772488e02d6a001d35715664291d3865514eea8576f1f2e035793d90632898
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4e34901fef76dc3a276cf932e297e8f904258c787cfde96246279837eb06e636
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2E51E271A14A059FDB11DFA8CC46AEB77B8EB89348F25452AE815DB340E770D8D08B90
                                                                                                                                                                                    Function 6EE1065D Relevance: 28.2, APIs: 11, Strings: 5, Instructions: 176windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE106D1
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE106E2
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE106F8
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1070A
                                                                                                                                                                                    • SHFileOperationW.SHELL32(?,00000000,00000000,?,00000000), ref: 6EE10761
                                                                                                                                                                                    • _snprintf.MSVCRT ref: 6EE107AA
                                                                                                                                                                                    • MessageBoxA.USER32(00000000,?,StdUtils::SHFileCopy,00040010), ref: 6EE107C9
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE107FB
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,ERROR), ref: 6EE10801
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1082F
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,ERROR), ref: 6EE10835
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$FileMessageOperation_snprintf
                                                                                                                                                                                    • String ID: 0A$ABORTED$ERROR$Failed with error code: 0x%X$StdUtils::SHFileCopy
                                                                                                                                                                                    • API String ID: 3240234133-3211944386
                                                                                                                                                                                    • Opcode ID: 6e0e13c9f7371bb38d0bc08097579d67d9bd5d3be8e10c81eef9464f14c35368
                                                                                                                                                                                    • Instruction ID: 64d87324e607a0d0a787c2e20eacbee3d7227913c3684f7c749194a1372ed052
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6e0e13c9f7371bb38d0bc08097579d67d9bd5d3be8e10c81eef9464f14c35368
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0951D171A046055FDB11EFA8CC4AAEB77B8EB49708F25442AE911EB381F770D8D18B90
                                                                                                                                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                    • DrawTextW.USER32(00000000,00472EE0,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                    • String ID: F
                                                                                                                                                                                    • API String ID: 941294808-1304234792
                                                                                                                                                                                    • Opcode ID: bf214f377d6857cb708af565e6f61848071267d92be3f24c40ffd1659e9a65ef
                                                                                                                                                                                    • Instruction ID: 4eb8147a30471c2b969484520d7d1b1c24976f3a1718a772f7b725b3b94c1b26
                                                                                                                                                                                    • Opcode Fuzzy Hash: bf214f377d6857cb708af565e6f61848071267d92be3f24c40ffd1659e9a65ef
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C418A71800249AFCF058FA5DE459AF7BB9FF44314F00842AF991AA1A0C778D954DFA4
                                                                                                                                                                                    Function 703E15C0 Relevance: 24.1, APIs: 16, Instructions: 123COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetClientRect.USER32(?,75A52370), ref: 703E15D3
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 703E1605
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 703E160D
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 703E1634
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 703E163C
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 703E164A
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 703E1659
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 703E1661
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 703E1675
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 703E167D
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 703E1693
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 703E16A9
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 703E16B5
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 703E16CB
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 703E16D3
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,?,00000000,00000000,00000000,00000005), ref: 703E16F0
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MetricsSystem$ClientRectWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 233016308-0
                                                                                                                                                                                    • Opcode ID: bfb75ceca67bcbb26c854962970b787f827821f612eb180c737d23299f494dc9
                                                                                                                                                                                    • Instruction ID: 2cc293b8fce3b20f6eb3e9e28a5373265eacfc5edeb01808b4a643deddf9a309
                                                                                                                                                                                    • Opcode Fuzzy Hash: bfb75ceca67bcbb26c854962970b787f827821f612eb180c737d23299f494dc9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E31A573A443259FD310EF3D8D49B5DBAE8AB84654F1B0718FE48E72D4D664ED088B81
                                                                                                                                                                                    Function 6EE070C9 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 115filewindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,?,6EE11E86,00000000,00000000,00000000,00000000), ref: 6EE07112
                                                                                                                                                                                      • Part of subcall function 6EE06CBA: memset.MSVCRT ref: 6EE06CCA
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,6EE11E86,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6EE07143
                                                                                                                                                                                    • ReadFile.KERNEL32(00000000,?,00001000,?,00000000,?,6EE11E86,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6EE0716D
                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,00001000,?,00000000), ref: 6EE071A8
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Failed to read data from input file!,StdUtils::HashUtils,00040010), ref: 6EE071C9
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,6EE11E86,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6EE071DC
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Output buffer is too small to hold the hash value!,StdUtils::HashUtils,00040010), ref: 6EE0723C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Failed to open input file for reading!, xrefs: 6EE0721A
                                                                                                                                                                                    • StdUtils::HashUtils, xrefs: 6EE07215
                                                                                                                                                                                    • Output buffer is too small to hold the hash value!, xrefs: 6EE07235
                                                                                                                                                                                    • StdUtils::HashUtils, xrefs: 6EE071BE
                                                                                                                                                                                    • StdUtils::HashUtils, xrefs: 6EE07230
                                                                                                                                                                                    • Failed to read data from input file!, xrefs: 6EE071C3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseHandleMessageRead$Creatememset
                                                                                                                                                                                    • String ID: Failed to open input file for reading!$Failed to read data from input file!$Output buffer is too small to hold the hash value!$StdUtils::HashUtils$StdUtils::HashUtils$StdUtils::HashUtils
                                                                                                                                                                                    • API String ID: 3936598526-2413740420
                                                                                                                                                                                    • Opcode ID: 98193ec095dee3eb98329db4d21aeb97aba4f0da1b4c5b3a1e509c4c975d34a7
                                                                                                                                                                                    • Instruction ID: a609224fb9074a8b2a656c1ada2c3bfb8db3d1f1dc2e90cad0b09827db9608fc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 98193ec095dee3eb98329db4d21aeb97aba4f0da1b4c5b3a1e509c4c975d34a7
                                                                                                                                                                                    • Instruction Fuzzy Hash: B6412571118205FBDB11AB95CC40FDF7BA8EB86358F200929F555A73D0C371A9E6CBA2
                                                                                                                                                                                    Function 6EE0649B Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 111COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset
                                                                                                                                                                                    • String ID: 19H1$Redstone 1$Redstone 2$Redstone 3$Redstone 4$Redstone 5$Threshold 1$Threshold 2$unknown
                                                                                                                                                                                    • API String ID: 2221118986-956141754
                                                                                                                                                                                    • Opcode ID: ffc8783b0dc0977230652eb7703aa2587dfccac9cd07866c6a6e391e71addb66
                                                                                                                                                                                    • Instruction ID: 61286261006cac3ed0fcaf3742f28ec383cc08a68df786a7cfae54235d87bc41
                                                                                                                                                                                    • Opcode Fuzzy Hash: ffc8783b0dc0977230652eb7703aa2587dfccac9cd07866c6a6e391e71addb66
                                                                                                                                                                                    • Instruction Fuzzy Hash: EF3104B262CB4A6BEA008ED4EC8BBCB2695F782B64F750418E4055F7C2D7B34EC5C651
                                                                                                                                                                                    Function 6EE073C5 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 6EE07336: memset.MSVCRT ref: 6EE0734A
                                                                                                                                                                                      • Part of subcall function 6EE07336: GetModuleHandleW.KERNEL32(shell32), ref: 6EE0735C
                                                                                                                                                                                      • Part of subcall function 6EE07336: LoadLibraryW.KERNEL32(shell32), ref: 6EE0736E
                                                                                                                                                                                      • Part of subcall function 6EE07305: VariantInit.OLEAUT32(?), ref: 6EE07306
                                                                                                                                                                                      • Part of subcall function 6EE07305: VariantClear.OLEAUT32(?), ref: 6EE07314
                                                                                                                                                                                      • Part of subcall function 6EE07305: SysAllocString.OLEAUT32(00000000), ref: 6EE0731E
                                                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 6EE07505
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE07510
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 6EE07574
                                                                                                                                                                                    • SysFreeString.OLEAUT32(?), ref: 6EE07596
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE075AF
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE075CC
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE075F4
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE075FB
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE07642
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE07649
                                                                                                                                                                                      • Part of subcall function 6EE059FE: GetTickCount.KERNEL32 ref: 6EE05A01
                                                                                                                                                                                      • Part of subcall function 6EE059FE: MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,?,000005FF), ref: 6EE05A27
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE07654
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Variant$Clear$InitString$AllocCountFreeHandleLibraryLoadModuleMultipleObjectsTickWait_wcsicmpmemset
                                                                                                                                                                                    • String ID: }
                                                                                                                                                                                    • API String ID: 3706460367-4239843852
                                                                                                                                                                                    • Opcode ID: 3d91aa3c9393469ec672bd3cc710fd699b7319ec054881535c2106c1233588e5
                                                                                                                                                                                    • Instruction ID: 00ccf3ee8648ef5f92e2bbc9245916724fdb5495ba086a8ebc21c5a12008adb8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3d91aa3c9393469ec672bd3cc710fd699b7319ec054881535c2106c1233588e5
                                                                                                                                                                                    • Instruction Fuzzy Hash: DB9127B16083069FC700DFA8D888A5BBBE9FF89308F10491DF589DB250D735E956CB92
                                                                                                                                                                                    Function 6EE102CE Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 158COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE10336
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1034C
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10417
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,-00000002,00000000,00000000,00000000), ref: 6EE1041D
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1042F
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,?), ref: 6EE10435
                                                                                                                                                                                      • Part of subcall function 6EE136D0: GlobalAlloc.KERNEL32(00000040,?,6EE1959C,6EE13818,?), ref: 6EE136E6
                                                                                                                                                                                      • Part of subcall function 6EE136D0: lstrcpynW.KERNEL32(00000004,?), ref: 6EE136FC
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10465
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000), ref: 6EE1046B
                                                                                                                                                                                      • Part of subcall function 6EE13560: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,?,?,00000000,6EE10399,00000000,00000000,00000000), ref: 6EE1357B
                                                                                                                                                                                      • Part of subcall function 6EE13560: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,6EE10399,00000000,00000000,00000000), ref: 6EE13592
                                                                                                                                                                                      • Part of subcall function 6EE13560: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,000000FF,000000FF,00000000,00000000,00000000,6EE10399,00000000,00000000,00000000), ref: 6EE135A6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??3@$??2@ByteCharMultiWide$AllocGloballstrcpyn
                                                                                                                                                                                    • String ID: 0A$error$error$too_long
                                                                                                                                                                                    • API String ID: 416852464-4184229350
                                                                                                                                                                                    • Opcode ID: 5fa3ba817a4de1e727b2280abfd5a9efef051e926412e0e97b27472d902f118c
                                                                                                                                                                                    • Instruction ID: b93080b155990851ad15eca6dfb9e361af4308050af1e9e199da387ed6e94d66
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5fa3ba817a4de1e727b2280abfd5a9efef051e926412e0e97b27472d902f118c
                                                                                                                                                                                    • Instruction Fuzzy Hash: A351EF312086029FDB019FACDC86BEA33B8EF45758F214429FD15CB381EB70D9A18791
                                                                                                                                                                                    Function 6EE1012C Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 158COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE10193
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE101A9
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1026A
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,-00000002,00000000,?,00000000,00000000), ref: 6EE10270
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10282
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00000002), ref: 6EE1028A
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE102BC
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000), ref: 6EE102C2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??3@$??2@
                                                                                                                                                                                    • String ID: 0A$error$error$too_long
                                                                                                                                                                                    • API String ID: 982000662-4184229350
                                                                                                                                                                                    • Opcode ID: 538b5260704a8b4237b927d18692e08f00713d70d1258d62518d4eb61e2a600a
                                                                                                                                                                                    • Instruction ID: e71143b7a67ee1a1e7541558f3598076aa88c3801599b10dce6b8faa62a604be
                                                                                                                                                                                    • Opcode Fuzzy Hash: 538b5260704a8b4237b927d18692e08f00713d70d1258d62518d4eb61e2a600a
                                                                                                                                                                                    • Instruction Fuzzy Hash: C841D2362086029FDB029FACDC46BEA33A8EF4A754B254159FC15CB356EB30D9A1C791
                                                                                                                                                                                    Function 00405F06 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004060A1,?,?), ref: 00405F41
                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,004688E8,00000400), ref: 00405F4A
                                                                                                                                                                                      • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
                                                                                                                                                                                      • Part of subcall function 00405D15: lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,004690E8,00000400), ref: 00405F67
                                                                                                                                                                                    • wsprintfA.USER32 ref: 00405F85
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,004690E8,C0000000,00000004,004690E8,?,?,?,?,?), ref: 00405FC0
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405FCF
                                                                                                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406007
                                                                                                                                                                                    • SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,004684E8,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 0040605D
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0040606E
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406075
                                                                                                                                                                                      • Part of subcall function 00405DB0: GetFileAttributesW.KERNEL32(004E7000,00402F1D,004E7000,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405DB4
                                                                                                                                                                                      • Part of subcall function 00405DB0: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405DD6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                    • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                    • API String ID: 2171350718-461813615
                                                                                                                                                                                    • Opcode ID: b694a888aaf83b7fce4c3b5560ec35c5a1d29ec5cfaa1e3dee45fb0367e4abd5
                                                                                                                                                                                    • Instruction ID: 1ccef14564d3a4e3590f6d96bf23d62cdd24cd7414a0bd79904b9c13782922cd
                                                                                                                                                                                    • Opcode Fuzzy Hash: b694a888aaf83b7fce4c3b5560ec35c5a1d29ec5cfaa1e3dee45fb0367e4abd5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 08312530641B05BBC220AB659D48F6B3AACDF45744F15003FFA42F72C2EB7C98118AAD
                                                                                                                                                                                    Function 703E13D0 Relevance: 21.1, APIs: 7, Strings: 7, Instructions: 68stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,/TL,00000000,771B05F0,703E1754,00000000,00000000,?,?,?,?,00000000,703E1D1A), ref: 703E13E2
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,/TR,?,?,?,?,00000000,703E1D1A), ref: 703E13F6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrcmpi
                                                                                                                                                                                    • String ID: /BL$/BR$/CENTER$/ICON$/MODERN$/TL$/TR
                                                                                                                                                                                    • API String ID: 1586166983-1886566901
                                                                                                                                                                                    • Opcode ID: 44eb56679296558254790883f8102d7149e4937a7820623a1b78344ceb43237c
                                                                                                                                                                                    • Instruction ID: 67dbe0188271dd0f4b2edca81bcf3c92d8a7beebdd4d82b970cc1ae40b7a2427
                                                                                                                                                                                    • Opcode Fuzzy Hash: 44eb56679296558254790883f8102d7149e4937a7820623a1b78344ceb43237c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5201EC7330543621D652312FBC04FCE82AE4FD1AA5F0783A6F441DA299D74DDDC31AA5
                                                                                                                                                                                    Function 6EE081F5 Relevance: 19.6, APIs: 12, Strings: 1, Instructions: 73COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 6EE081CC: _getpid.MSVCRT(80000001,6EE19590,6EE082DC,80000001,6EE08315,80000000,?,6EE0ED33,?,6EE1959C,?,6EE0EDAE,00000000), ref: 6EE081CE
                                                                                                                                                                                      • Part of subcall function 6EE081CC: clock.MSVCRT ref: 6EE081D6
                                                                                                                                                                                      • Part of subcall function 6EE081CC: time.MSVCRT(00000000,?,6EE0ED33,?,6EE1959C,?,6EE0EDAE,00000000), ref: 6EE081E0
                                                                                                                                                                                    • rand.MSVCRT ref: 6EE08218
                                                                                                                                                                                    • rand.MSVCRT ref: 6EE0821F
                                                                                                                                                                                    • rand.MSVCRT ref: 6EE08226
                                                                                                                                                                                    • rand.MSVCRT ref: 6EE08230
                                                                                                                                                                                    • rand.MSVCRT ref: 6EE08249
                                                                                                                                                                                    • rand.MSVCRT ref: 6EE08250
                                                                                                                                                                                    • rand.MSVCRT ref: 6EE08257
                                                                                                                                                                                    • rand.MSVCRT ref: 6EE08261
                                                                                                                                                                                    • rand.MSVCRT ref: 6EE08279
                                                                                                                                                                                    • rand.MSVCRT ref: 6EE08280
                                                                                                                                                                                    • rand.MSVCRT ref: 6EE08287
                                                                                                                                                                                    • rand.MSVCRT ref: 6EE08291
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: rand$_getpidclocktime
                                                                                                                                                                                    • String ID: *
                                                                                                                                                                                    • API String ID: 36775035-163128923
                                                                                                                                                                                    • Opcode ID: 7262a1d57adb12c298435f37bd80ee990ae4510e36d0c6133f34b7b166cd92d8
                                                                                                                                                                                    • Instruction ID: f0823b01500e279634048bd245bc910024bd240cafff52f1944709ad052f82a5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7262a1d57adb12c298435f37bd80ee990ae4510e36d0c6133f34b7b166cd92d8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 05113071A143294BD700EFB4DC4145E7BDABFC8154F540D3FE594C3242E678C9598AE6
                                                                                                                                                                                    Function 6EE11F11 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 141COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE11F80
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE11F91
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE11FA7
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE11FB7
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12036
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,einval,00000000,00000000,00000000,00000000), ref: 6EE1203C
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12068
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,einval,00000000,00000000,00000000,00000000), ref: 6EE1206E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@
                                                                                                                                                                                    • String ID: 0A$einval$error
                                                                                                                                                                                    • API String ID: 1827009568-1764747320
                                                                                                                                                                                    • Opcode ID: 6ba4000283faf409a52540db233ecfd6dfddecaed82ec3e1b1779b337b2f8831
                                                                                                                                                                                    • Instruction ID: cbc580f7d3821a404e83dea905de2b323f8dd439d23d5b7917e483e016283076
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6ba4000283faf409a52540db233ecfd6dfddecaed82ec3e1b1779b337b2f8831
                                                                                                                                                                                    • Instruction Fuzzy Hash: 044115727086025FEB149FB8CC46FDB22ACDF8A758B25492DF911DB385EB60D8C1C690
                                                                                                                                                                                    Function 6EE11DAB Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 139COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE11E1A
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE11E2B
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE11E41
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE11E51
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE11EC7
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,einval,00000000,00000000,00000000,00000000), ref: 6EE11ECD
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE11EFD
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000,00000000,00000000,00000000), ref: 6EE11F03
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@
                                                                                                                                                                                    • String ID: 0A$einval$error
                                                                                                                                                                                    • API String ID: 1827009568-1764747320
                                                                                                                                                                                    • Opcode ID: f7a8d3a9e85237ed3bf0ef3135db8c310029f78a0f6194e2b6b285dfc33307ca
                                                                                                                                                                                    • Instruction ID: d6caa54c4fd5b5f03d78f9dce2d221e74685d6012043c22017a5dacbb01c2e2b
                                                                                                                                                                                    • Opcode Fuzzy Hash: f7a8d3a9e85237ed3bf0ef3135db8c310029f78a0f6194e2b6b285dfc33307ca
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F41E4722086016FDB159FF8CC4AEEF76ADDF4A758725482DF416CB385EB20D8C58690
                                                                                                                                                                                    Function 6EE125EC Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE1265C
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1266D
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE12683
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12691
                                                                                                                                                                                    • _wsetlocale.MSVCRT ref: 6EE1269C
                                                                                                                                                                                    • _wsplitpath.MSVCRT ref: 6EE126B4
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE126E9
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,00000000), ref: 6EE126EF
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1271E
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000), ref: 6EE12724
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$_wsetlocale_wsplitpath
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 1271169891-2007828011
                                                                                                                                                                                    • Opcode ID: 5cb8ebb855197285181176d3003d75179e995199db0cb44b809d22e99b347675
                                                                                                                                                                                    • Instruction ID: 8caf32cd06834b37814635c5aba9ce8cc2cbb4fbb085dfc3a242f60cad5f474d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5cb8ebb855197285181176d3003d75179e995199db0cb44b809d22e99b347675
                                                                                                                                                                                    • Instruction Fuzzy Hash: A131C0B12005056FEB15AFB8DC869EB73ACEF4A758715442AF916CB381E720DCD18BA1
                                                                                                                                                                                    Function 6EE129BE Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE12A2E
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12A3F
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE12A55
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12A63
                                                                                                                                                                                    • _wsetlocale.MSVCRT ref: 6EE12A6E
                                                                                                                                                                                    • _wsplitpath.MSVCRT ref: 6EE12A86
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12ABB
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,00000000), ref: 6EE12AC1
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12AF0
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000), ref: 6EE12AF6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$_wsetlocale_wsplitpath
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 1271169891-2007828011
                                                                                                                                                                                    • Opcode ID: 9f17c8c2406c649063107ebe56d7ff98b1f98e3abf9eb748103e4e254ef8acce
                                                                                                                                                                                    • Instruction ID: bd438aa8ae0a7157dc475602347c6665c07aa61cee38c45743f59e529c4b6978
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9f17c8c2406c649063107ebe56d7ff98b1f98e3abf9eb748103e4e254ef8acce
                                                                                                                                                                                    • Instruction Fuzzy Hash: C131C0722005056FAB15AFACCC869FB73ADEF4A718715842AF916CB345E720DCC18BA1
                                                                                                                                                                                    Function 6EE12878 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE128E8
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE128F9
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE1290F
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1291D
                                                                                                                                                                                    • _wsetlocale.MSVCRT ref: 6EE12928
                                                                                                                                                                                    • _wsplitpath.MSVCRT ref: 6EE12940
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12975
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,00000000), ref: 6EE1297B
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE129AA
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000), ref: 6EE129B0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$_wsetlocale_wsplitpath
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 1271169891-2007828011
                                                                                                                                                                                    • Opcode ID: 5eb6fb9f799c2d0a24ff98aed15cc67eff4fb8541c2a306fdad587ee311bf096
                                                                                                                                                                                    • Instruction ID: 1c55e3f009678e4919cffc21737c2b847c1e16e054900c18fe6ca51eb3bc2ec1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5eb6fb9f799c2d0a24ff98aed15cc67eff4fb8541c2a306fdad587ee311bf096
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6C31C0B22105056FEB15AFACCC86DEB73ACEF4A718715442AF916CB345E720DCC18BA1
                                                                                                                                                                                    Function 6EE12732 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 130COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE127A2
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE127B3
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE127C9
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE127D7
                                                                                                                                                                                    • _wsetlocale.MSVCRT ref: 6EE127E2
                                                                                                                                                                                    • _wsplitpath.MSVCRT ref: 6EE127FA
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1282F
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,00000000), ref: 6EE12835
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12864
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000), ref: 6EE1286A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$_wsetlocale_wsplitpath
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 1271169891-2007828011
                                                                                                                                                                                    • Opcode ID: 990c76790ac1d4eef3c1916ad43c5f020e08f3e2ba1b46bb3b3a579e53312c88
                                                                                                                                                                                    • Instruction ID: ba5d53a7a742824f3ebae0739e1e98772d826ce5e6c3c1cc84a9123df363e1e2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 990c76790ac1d4eef3c1916ad43c5f020e08f3e2ba1b46bb3b3a579e53312c88
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F31D3B12005056FDB15AFB8CC86DEB73ADEF4A7187154429F915C7345E720DCC18B91
                                                                                                                                                                                    Function 6EE0F014 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 111COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE0F095
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F0CF
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F0F4
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00000000,00000000), ref: 6EE0F0FA
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F11C
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,?,00000000), ref: 6EE0F124
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00000000,error), ref: 6EE0F0D5
                                                                                                                                                                                      • Part of subcall function 6EE136D0: GlobalAlloc.KERNEL32(00000040,?,6EE1959C,6EE13818,?), ref: 6EE136E6
                                                                                                                                                                                      • Part of subcall function 6EE136D0: lstrcpynW.KERNEL32(00000004,?), ref: 6EE136FC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@memset$??2@AllocGloballstrcpyn
                                                                                                                                                                                    • String ID: 0A$einval$error$too_long
                                                                                                                                                                                    • API String ID: 4029303160-3859856511
                                                                                                                                                                                    • Opcode ID: 49795b69423da4ca70fa0157a8f30e8adb3d084a2032e3efc9cc1ea470388180
                                                                                                                                                                                    • Instruction ID: f8243560a86b0278737c1593bf7906a5bf61b843f50a159c042df4c7c5153dd7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 49795b69423da4ca70fa0157a8f30e8adb3d084a2032e3efc9cc1ea470388180
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5731C171600606ABDB019FA8CC45BDB33ACEF45728B21442AF915DB302EB74D9A1CB94
                                                                                                                                                                                    Function 6EE11153 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 109synchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE111BC
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE111CE
                                                                                                                                                                                    • swscanf.MSVCRT ref: 6EE111EA
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 6EE11208
                                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 6EE11219
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 6EE11228
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1126D
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,error), ref: 6EE11273
                                                                                                                                                                                      • Part of subcall function 6EE136D0: GlobalAlloc.KERNEL32(00000040,?,6EE1959C,6EE13818,?), ref: 6EE136E6
                                                                                                                                                                                      • Part of subcall function 6EE136D0: lstrcpynW.KERNEL32(00000004,?), ref: 6EE136FC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@AllocCloseCodeExitGlobalHandleObjectProcessSingleWaitlstrcpynswscanf
                                                                                                                                                                                    • String ID: 0A$error$hProc:%X
                                                                                                                                                                                    • API String ID: 43933247-2066092378
                                                                                                                                                                                    • Opcode ID: 27cf8ef7df020140f4ff78a4e9673f89c2b9e65c836437419ed7b4d1eaea7665
                                                                                                                                                                                    • Instruction ID: 1cf4ab110f68841a781114cb983a90fe06e219fa0f38499cd3e8363e703967e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 27cf8ef7df020140f4ff78a4e9673f89c2b9e65c836437419ed7b4d1eaea7665
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8D31AF712156069FDF01DFE8DC869EA37ACEF0A318B24412AF925D6350E731CDA4CB92
                                                                                                                                                                                    Function 6EE1083F Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 166COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE108B2
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE108C3
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE108D9
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE108E9
                                                                                                                                                                                      • Part of subcall function 6EE136D0: GlobalAlloc.KERNEL32(00000040,?,6EE1959C,6EE13818,?), ref: 6EE136E6
                                                                                                                                                                                      • Part of subcall function 6EE136D0: lstrcpynW.KERNEL32(00000004,?), ref: 6EE136FC
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE109AC
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,error,?,00000000,?,00000000), ref: 6EE109B2
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE109E0
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,error,?,00000000,?,00000000), ref: 6EE109E6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$AllocGloballstrcpyn
                                                                                                                                                                                    • String ID: 0A$error
                                                                                                                                                                                    • API String ID: 1680118246-3130266295
                                                                                                                                                                                    • Opcode ID: b35d9889154e751b6f5df9094e20bb4907c54ed56b47980e102a9e0a59a0c145
                                                                                                                                                                                    • Instruction ID: 59977618b3c3589272dab18be35820513a8dbcaf46e024a1baa69e3756b0a281
                                                                                                                                                                                    • Opcode Fuzzy Hash: b35d9889154e751b6f5df9094e20bb4907c54ed56b47980e102a9e0a59a0c145
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A51B271A0420A9FEF00EFA8CC928EE77B9EF45308B21452EE525D7350E7709E90CB90
                                                                                                                                                                                    Function 6EE0F836 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 160COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE0F8A9
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F8BA
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE0F8D0
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F8DE
                                                                                                                                                                                    • swscanf.MSVCRT ref: 6EE0F926
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F992
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,?,?,?), ref: 6EE0F998
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F9C6
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,?,?,?), ref: 6EE0F9CC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$swscanf
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 569297226-2007828011
                                                                                                                                                                                    • Opcode ID: a556ca502acd120d7a63f3aaf03ce6a898afe5b4b727d793c969e90b9ed8c1af
                                                                                                                                                                                    • Instruction ID: 7dc0f211a26b147a4900d4c5b34100cd19960d76f771113a8ce2fe3bb7638283
                                                                                                                                                                                    • Opcode Fuzzy Hash: a556ca502acd120d7a63f3aaf03ce6a898afe5b4b727d793c969e90b9ed8c1af
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D518DB1A00205AFDB11EFE8CC868EF77ADEF09314B65482AE915D7350E734DDA08B90
                                                                                                                                                                                    Function 6EE0F6BB Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE0F72C
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F73D
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE0F753
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F761
                                                                                                                                                                                    • swscanf.MSVCRT ref: 6EE0F79A
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F7F2
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,?,?), ref: 6EE0F7F8
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F826
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,?,?), ref: 6EE0F82C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$swscanf
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 569297226-2007828011
                                                                                                                                                                                    • Opcode ID: f972d8f98a1b6906ea2cf22cb8bee717d7ab483a9f2f0a77b7504f3afef2a50f
                                                                                                                                                                                    • Instruction ID: 1a3ab44a74ad131fbda585b233d5be793ca421e4d48d06f8879b8e5790c90cbc
                                                                                                                                                                                    • Opcode Fuzzy Hash: f972d8f98a1b6906ea2cf22cb8bee717d7ab483a9f2f0a77b7504f3afef2a50f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5A41BEB2610605AFDB11DFA8CC868EB77ADEF05314725482AF915C7350E730DDA0CBA1
                                                                                                                                                                                    Function 6EE0F3FA Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 138COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE0F468
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F479
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE0F48F
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F49E
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 6EE0F4D4
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F521
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000), ref: 6EE0F527
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F554
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000), ref: 6EE0F55A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$_snwprintf
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 995522934-2007828011
                                                                                                                                                                                    • Opcode ID: 04116ba96e7ec0e49b020b828836d2802c8f95924c4564b7f69a3dfc6a000fc8
                                                                                                                                                                                    • Instruction ID: ac8be6103f3c0969c04d88d0f8a053659e5daa3bbebb6cdcc552aa4e9140b55c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 04116ba96e7ec0e49b020b828836d2802c8f95924c4564b7f69a3dfc6a000fc8
                                                                                                                                                                                    • Instruction Fuzzy Hash: F741DF32700A015BDB219FB8CC46FEB33ADEF49714B254429F916CB784E774E8A18B94
                                                                                                                                                                                    Function 6EE0F563 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 136COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE0F5D3
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F5E4
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000), ref: 6EE0F5FA
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F608
                                                                                                                                                                                    • swscanf.MSVCRT ref: 6EE0F632
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F677
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,?), ref: 6EE0F67D
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F6AB
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,?), ref: 6EE0F6B1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$swscanf
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 569297226-2007828011
                                                                                                                                                                                    • Opcode ID: b0ebb57fbd0112fa279cc0fe355366785df65e716cad74f639235123a5553819
                                                                                                                                                                                    • Instruction ID: 48e44a4db16cb3669715a35b166ddec58b4d09047f49abe4ff98511e2c18b10c
                                                                                                                                                                                    • Opcode Fuzzy Hash: b0ebb57fbd0112fa279cc0fe355366785df65e716cad74f639235123a5553819
                                                                                                                                                                                    • Instruction Fuzzy Hash: B741DDB26006056FDB11AFA8DC968EB73ADEF493187258429F915CB350E731DDA18BE0
                                                                                                                                                                                    Function 6EE0F29C Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 135COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE0F30A
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F31B
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE0F331
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F340
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 6EE0F36B
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F3B8
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000), ref: 6EE0F3BE
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F3EB
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000), ref: 6EE0F3F1
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$_snwprintf
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 995522934-2007828011
                                                                                                                                                                                    • Opcode ID: 9b41e2d3ab019d2326aa3903d65438d439ed3da0eb0c251dfc1f33904c5c81cd
                                                                                                                                                                                    • Instruction ID: 13da73c595946fcf07feb0bdb76f4b57e9dca2e8ec80513e77de49c88cf573be
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9b41e2d3ab019d2326aa3903d65438d439ed3da0eb0c251dfc1f33904c5c81cd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8A41BF32700A015FDB119FB8CC56FEB33ACEF49728B254429F915CB785E764E8A18B94
                                                                                                                                                                                    Function 6EE12077 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE120E5
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE120F6
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE1210C
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1211E
                                                                                                                                                                                    • _wsetlocale.MSVCRT ref: 6EE12129
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12188
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,6EE14CDC,00000000,00000000), ref: 6EE1218E
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE121BC
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,00000000,00002000,6EE14CDC,00000000,00000000), ref: 6EE121C2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$_wsetlocale
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 1824925876-2007828011
                                                                                                                                                                                    • Opcode ID: acf088b8d551579434a25683ffde09ac64ec88d47caa5ee8f64daa0c27bdf86c
                                                                                                                                                                                    • Instruction ID: b49746554b935749530b096a5b958a7799e4113fa479201ae8ff74f57c6fbbce
                                                                                                                                                                                    • Opcode Fuzzy Hash: acf088b8d551579434a25683ffde09ac64ec88d47caa5ee8f64daa0c27bdf86c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4B41F0713046016FDB15DFA8CC869EB77ADEF0A714725842AF916CB785D770D8818BD0
                                                                                                                                                                                    Function 6EE0F149 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE0F1B8
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F1C9
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE0F1DF
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F1EE
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 6EE0F20E
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F25B
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000), ref: 6EE0F261
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0F28E
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000), ref: 6EE0F294
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@$_snwprintf
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 995522934-2007828011
                                                                                                                                                                                    • Opcode ID: c050a538cd75ad43e1897c5ef372a6b8a143fc0668e17309aeccb94939031f35
                                                                                                                                                                                    • Instruction ID: 3959b9d49a7b9e5a07d659f681f24158e2c12a7c4069d4ed75125de97ded13db
                                                                                                                                                                                    • Opcode Fuzzy Hash: c050a538cd75ad43e1897c5ef372a6b8a143fc0668e17309aeccb94939031f35
                                                                                                                                                                                    • Instruction Fuzzy Hash: AF31C0317046025BEB11DFB8CC86BAB72EC9F89714F254829F925CB381E760D8A18790
                                                                                                                                                                                    Function 6EE06CBA Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 101windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE06CCA
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Blake2_Init internal error, going to abort!,StdUtils::HashFunction_Init,00040010), ref: 6EE06E50
                                                                                                                                                                                    • abort.MSVCRT(?,Blake2_Init internal error, going to abort!,StdUtils::HashFunction_Init,00040010), ref: 6EE06E56
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,The specified hash type is unknown/unsupported!,StdUtils::HashUtils,00040010), ref: 6EE06E79
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • 8Sn, xrefs: 6EE06DAE
                                                                                                                                                                                    • Blake2_Init internal error, going to abort!, xrefs: 6EE06E4A
                                                                                                                                                                                    • The specified hash type is unknown/unsupported!, xrefs: 6EE06E73
                                                                                                                                                                                    • StdUtils::HashUtils, xrefs: 6EE06E6E
                                                                                                                                                                                    • StdUtils::HashFunction_Init, xrefs: 6EE06E45
                                                                                                                                                                                    • XSn, xrefs: 6EE06D83
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$abortmemset
                                                                                                                                                                                    • String ID: 8Sn$Blake2_Init internal error, going to abort!$StdUtils::HashFunction_Init$StdUtils::HashUtils$The specified hash type is unknown/unsupported!$XSn
                                                                                                                                                                                    • API String ID: 2093300295-3059119343
                                                                                                                                                                                    • Opcode ID: 04df13682a4635789cd6ff3c5e19b6b2115471955669e2eab7421efd4c37420d
                                                                                                                                                                                    • Instruction ID: f077dcb024971a67f464422a45908af3fbb49662077879a166b876a05ca8d339
                                                                                                                                                                                    • Opcode Fuzzy Hash: 04df13682a4635789cd6ff3c5e19b6b2115471955669e2eab7421efd4c37420d
                                                                                                                                                                                    • Instruction Fuzzy Hash: E941BFB0555B02DFE3608FAAC885BC2BBE4FB05304F60891ED5DE9B640CBB165DA9B40
                                                                                                                                                                                    Function 6EE0EEFD Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 95windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000001), ref: 6EE0EF7B
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0EF89
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0EFCF
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,?,EOL), ref: 6EE0EFD5
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,RandList() was called with bad arguments!,StdUtils,00002010), ref: 6EE0EFFF
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@Message
                                                                                                                                                                                    • String ID: 0A$EOL$RandList() was called with bad arguments!$StdUtils$einval
                                                                                                                                                                                    • API String ID: 2843372388-2113792628
                                                                                                                                                                                    • Opcode ID: cf17500ca34a94be3ccad107da5bfe65cd6100ed83c7b8ea9efdf532ed53272d
                                                                                                                                                                                    • Instruction ID: fbc1571a2d8a7ea91497e4bdcf79a20e080fe5fd8d3f1a128a027ab3110381c1
                                                                                                                                                                                    • Opcode Fuzzy Hash: cf17500ca34a94be3ccad107da5bfe65cd6100ed83c7b8ea9efdf532ed53272d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5031D171618A069FEF119FE4C845BDA77A8AF05318F30083AF914DA391DB71D8A1CB91
                                                                                                                                                                                    Function 703E1BD0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 82windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindWindowExW.USER32(?,00000000,#32770,00000000), ref: 703E1BEB
                                                                                                                                                                                    • SendMessageW.USER32(?,00000407,00000000,00000000), ref: 703E1C2D
                                                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000000,?), ref: 703E1C44
                                                                                                                                                                                    • SendMessageW.USER32(?,00000402,00000001,00000000), ref: 703E1C56
                                                                                                                                                                                    • IsWindow.USER32(?), ref: 703E1C64
                                                                                                                                                                                    • PeekMessageW.USER32(?,?,00000000,00000000,00000001), ref: 703E1C92
                                                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 703E1C9D
                                                                                                                                                                                    • WaitMessage.USER32 ref: 703E1CA1
                                                                                                                                                                                    • IsWindow.USER32(?), ref: 703E1CAA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$SendWindow$DispatchFindPeekWait
                                                                                                                                                                                    • String ID: #32770
                                                                                                                                                                                    • API String ID: 850096679-463685578
                                                                                                                                                                                    • Opcode ID: 63606b023a7d5db5378358206ac2a12895e220e460b25aba7dc39be93eeb54a6
                                                                                                                                                                                    • Instruction ID: 58977ceb0446a42e81d3f23748b1fd019ab1caeeaf710f64b581110bb901c5c1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 63606b023a7d5db5378358206ac2a12895e220e460b25aba7dc39be93eeb54a6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 43214A73A40210AAE620DB778DC5F6AB7ACA788B50F210759E701AB2D0D6F5FC018B64
                                                                                                                                                                                    Function 6EE06819 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(6EE00000,?,00000104,?,?,?), ref: 6EE06844
                                                                                                                                                                                    • _snwprintf.MSVCRT ref: 6EE0687C
                                                                                                                                                                                    • FatalAppExitW.KERNEL32(00000000,?), ref: 6EE06892
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(000000FF), ref: 6EE06896
                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 6EE06899
                                                                                                                                                                                    • FatalAppExitW.KERNEL32(00000000,This is not a valid Win32 application!), ref: 6EE068A2
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(000000FF), ref: 6EE068A6
                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 6EE068A9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • This is not a valid Win32 application!, xrefs: 6EE0689B
                                                                                                                                                                                    • %s is not a valid Win32 application!, xrefs: 6EE0686B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Process$CurrentExitFatalTerminate$FileModuleName_snwprintf
                                                                                                                                                                                    • String ID: %s is not a valid Win32 application!$This is not a valid Win32 application!
                                                                                                                                                                                    • API String ID: 3892063871-1928030974
                                                                                                                                                                                    • Opcode ID: 28ea7b8d766b4c3ed4fc75860f31cc0ae55c63b35a98a9b223ac75067c05e224
                                                                                                                                                                                    • Instruction ID: 485220c69e6b20bb90244603cf6c246e31df316517a4fd5cd1e229ac2138e67a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 28ea7b8d766b4c3ed4fc75860f31cc0ae55c63b35a98a9b223ac75067c05e224
                                                                                                                                                                                    • Instruction Fuzzy Hash: F701F1715202186AEB50EAA2CC49FEB372CEB4536CF200555FB24E26C1E770ECC1CA71
                                                                                                                                                                                    Function 6EE0FE76 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 129COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE0FEE1
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0FEF3
                                                                                                                                                                                    • _wsetlocale.MSVCRT ref: 6EE0FEFE
                                                                                                                                                                                    • iswcntrl.MSVCRT ref: 6EE0FF1D
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0FFCD
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,invalid,00000000,00000000), ref: 6EE0FFD3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@_wsetlocaleiswcntrl
                                                                                                                                                                                    • String ID: 0A$<>"|?*$invalid
                                                                                                                                                                                    • API String ID: 1770610939-2517845156
                                                                                                                                                                                    • Opcode ID: 130c0b96f9d79eea44c60f378c251908face8d562e73107e6f89f9ca19fb8577
                                                                                                                                                                                    • Instruction ID: 051d3ded10000d7448cbfc1c7fbd65b6f87ac1d5fdf30f8173744af6af53da92
                                                                                                                                                                                    • Opcode Fuzzy Hash: 130c0b96f9d79eea44c60f378c251908face8d562e73107e6f89f9ca19fb8577
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8041F4716146025FDB219FA8C8816BA73F9EB4A75C730482EF451CB384EB68C8F2C755
                                                                                                                                                                                    Function 6EE0FD45 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 110COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE0FDB0
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0FDC2
                                                                                                                                                                                    • _wsetlocale.MSVCRT ref: 6EE0FDCD
                                                                                                                                                                                    • iswcntrl.MSVCRT ref: 6EE0FDE8
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0FE63
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,invalid,00000000,00000000), ref: 6EE0FE69
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@_wsetlocaleiswcntrl
                                                                                                                                                                                    • String ID: 0A$<>:"/\|?*$invalid
                                                                                                                                                                                    • API String ID: 1770610939-3758005444
                                                                                                                                                                                    • Opcode ID: 57a1fcf9eb3d3cc657fa3111adba10d244be01d0e762de007c55825a0f9dcd87
                                                                                                                                                                                    • Instruction ID: c09ec41101d89f0b28f3d9263c9ab2e5509c1e4881b77c5d2c59dbdb972998eb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 57a1fcf9eb3d3cc657fa3111adba10d244be01d0e762de007c55825a0f9dcd87
                                                                                                                                                                                    • Instruction Fuzzy Hash: 743103752146039BDB119FE8CC56ABA33F8EB45728B34442EF551CB381EB24C8E2C750
                                                                                                                                                                                    Function 6EE0E664 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 6EE059FE: GetTickCount.KERNEL32 ref: 6EE05A01
                                                                                                                                                                                      • Part of subcall function 6EE059FE: MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,?,000005FF), ref: 6EE05A27
                                                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 6EE0E694
                                                                                                                                                                                      • Part of subcall function 6EE07305: VariantInit.OLEAUT32(?), ref: 6EE07306
                                                                                                                                                                                      • Part of subcall function 6EE07305: VariantClear.OLEAUT32(?), ref: 6EE07314
                                                                                                                                                                                      • Part of subcall function 6EE07305: SysAllocString.OLEAUT32(00000000), ref: 6EE0731E
                                                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 6EE0E6C2
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE0E6CF
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE0E736
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE0E73D
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE0E744
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE0E74B
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE0E752
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Variant$Clear$Init$AllocCountMultipleObjectsStringTickWait
                                                                                                                                                                                    • String ID: }
                                                                                                                                                                                    • API String ID: 675311509-4239843852
                                                                                                                                                                                    • Opcode ID: 72b0dc947c9d1aeccab0ef51b8398f52509c1b058be53a4d9210604de1026080
                                                                                                                                                                                    • Instruction ID: 37a19d7978b02105e9f67c61747b6d1b65c1d6b8d09d2d14ac8646117c8e38a6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 72b0dc947c9d1aeccab0ef51b8398f52509c1b058be53a4d9210604de1026080
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6D314D724047059BCB01EFB8C8849CBBBEDEF86358F150D19FA949B120D771EA598BD2
                                                                                                                                                                                    Function 6EE12BA7 Relevance: 15.8, APIs: 5, Strings: 4, Instructions: 91COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE12C0E
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12C21
                                                                                                                                                                                    • swscanf.MSVCRT ref: 6EE12C3B
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE12C8C
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,error), ref: 6EE12C92
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@swscanf
                                                                                                                                                                                    • String ID: 0A$<Mn$TimerId:%X$error
                                                                                                                                                                                    • API String ID: 132819863-2311519495
                                                                                                                                                                                    • Opcode ID: b201f010594e3f677b65cdfdbfc3f178f368241f6f45d9bb5d6aa2ce882da988
                                                                                                                                                                                    • Instruction ID: 2f97cad4a8b6d6d1d8413bbff2a29a0c01d715670d533b3568222f94362cfca8
                                                                                                                                                                                    • Opcode Fuzzy Hash: b201f010594e3f677b65cdfdbfc3f178f368241f6f45d9bb5d6aa2ce882da988
                                                                                                                                                                                    • Instruction Fuzzy Hash: B521DE717146016FDB019FACCC06BEA33BCEB4A758F214029FA25CB780E730D8918791
                                                                                                                                                                                    Function 6EE066CA Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 71windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE066E5
                                                                                                                                                                                    • VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,?,00000004,?), ref: 6EE06721
                                                                                                                                                                                    • VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003,?,00000004,?), ref: 6EE06729
                                                                                                                                                                                    • VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003,?,00000004,?), ref: 6EE06731
                                                                                                                                                                                    • VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000020,00000003,?,00000001,00000003,?,00000004,?), ref: 6EE06739
                                                                                                                                                                                      • Part of subcall function 6EE06678: GetModuleHandleW.KERNEL32(ntdll,?,6EE0674B,?,0000002B,00000000,?,?,00000008,00000001,?,00000020,00000003,?,00000001,00000003), ref: 6EE06680
                                                                                                                                                                                      • Part of subcall function 6EE06678: GetProcAddress.KERNEL32(00000000,RtlVerifyVersionInfo), ref: 6EE06690
                                                                                                                                                                                    • GetLastError.KERNEL32(00000003,?,00000001,00000003,?,00000004,?), ref: 6EE06755
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,VerifyVersionInfo() has failed, cannot test Windows version!,StdUtils::verify_os_version,00040010), ref: 6EE0677A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • VerifyVersionInfo() has failed, cannot test Windows version!, xrefs: 6EE06774
                                                                                                                                                                                    • StdUtils::verify_os_version, xrefs: 6EE0676F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ConditionMask$AddressErrorHandleLastMessageModuleProcmemset
                                                                                                                                                                                    • String ID: StdUtils::verify_os_version$VerifyVersionInfo() has failed, cannot test Windows version!
                                                                                                                                                                                    • API String ID: 1050149814-3472982212
                                                                                                                                                                                    • Opcode ID: 4003422e2bce18478835ca44a9f71df60a70de3eec4c7a5eb4a8ab25706f027f
                                                                                                                                                                                    • Instruction ID: 0f44a0df4a99dbd88533f426b647e192bf96209a76b2cd295a5977edeb917ea3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4003422e2bce18478835ca44a9f71df60a70de3eec4c7a5eb4a8ab25706f027f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8611B6B1D503287AEB216BE58C4AFEB3A7CEB48704F004556F645FB281D2B58ED44BA0
                                                                                                                                                                                    Function 703E1260 Relevance: 15.1, APIs: 10, Instructions: 91COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 703E1277
                                                                                                                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 703E1285
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 703E12A4
                                                                                                                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 703E12B2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Proc$InvalidateRectShow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1966547911-0
                                                                                                                                                                                    • Opcode ID: b47528744b464f54880efbf5fa6dd13262399ba68f0898e5e592f04a4b5b069d
                                                                                                                                                                                    • Instruction ID: 6e4604ed3fdcaacca2575d4de727ea9ce8c56697ea7503946eabfb7a15927b3d
                                                                                                                                                                                    • Opcode Fuzzy Hash: b47528744b464f54880efbf5fa6dd13262399ba68f0898e5e592f04a4b5b069d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 43219233644228ABD220DB5BECC8FAFBB6CFBC9661F11056AF646D2240C3655C05D771
                                                                                                                                                                                    Function 703E1FD0 Relevance: 15.1, APIs: 10, Instructions: 75windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 703E1FE9
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 703E1FFE
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 703E2013
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,?), ref: 703E2027
                                                                                                                                                                                    • GetActiveWindow.USER32 ref: 703E202A
                                                                                                                                                                                    • ShowWindow.USER32(?,00000009,?,?,703E218F), ref: 703E2043
                                                                                                                                                                                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 703E205B
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005,?,?,703E218F), ref: 703E2070
                                                                                                                                                                                    • DestroyIcon.USER32(?,?,703E218F), ref: 703E207D
                                                                                                                                                                                    • SendMessageW.USER32(?,00000010,00000000,00000000), ref: 703E209D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Long$MessageSendShow$ActiveDestroyIcon
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 4291089804-0
                                                                                                                                                                                    • Opcode ID: 3c179c6068a34994fbaf62ebaf73f9166672febb7c6ad104d3c19fdfa9918f77
                                                                                                                                                                                    • Instruction ID: 800b6c134bbcc56218ce23a8ad214807231b24966f3ac6a3787b8bef6b3355e9
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3c179c6068a34994fbaf62ebaf73f9166672febb7c6ad104d3c19fdfa9918f77
                                                                                                                                                                                    • Instruction Fuzzy Hash: C721B972604225AAEA30DB7BDDC4F1677ACA74C720F210729F612D72E1DBA4EC049B64
                                                                                                                                                                                    Function 6EE114E1 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 103COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@_wsetlocalewcsncpy
                                                                                                                                                                                    • String ID: 0A$error
                                                                                                                                                                                    • API String ID: 1215521043-3130266295
                                                                                                                                                                                    • Opcode ID: 29bd95d36e6751de5f6430af28d1e01cacc21fe1085ac75534c759b9674b89b0
                                                                                                                                                                                    • Instruction ID: 7510cd41f6256275d259b280d25587346b8c50c44e433fc9c8ceb12f3181b11a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 29bd95d36e6751de5f6430af28d1e01cacc21fe1085ac75534c759b9674b89b0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B31CF71318A029BDB11DFE8DC46BEA37BDAF4A718B20042DF916DB781E721C885CB51
                                                                                                                                                                                    Function 6EE113E6 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 92COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE11451
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE11463
                                                                                                                                                                                    • _wsetlocale.MSVCRT ref: 6EE1146E
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE114CE
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,true,?,?,00000000,00000000), ref: 6EE114D4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@_wsetlocale
                                                                                                                                                                                    • String ID: 0A$false$true
                                                                                                                                                                                    • API String ID: 1170871879-1006293617
                                                                                                                                                                                    • Opcode ID: 77deb81d3c3007a55a52a69f93ded6b16e1ee23058173efabfc5afe61c7d234a
                                                                                                                                                                                    • Instruction ID: 15cd7bd200d9fd68e1c2d01241d4c736af77745d565306a2ec359b98400639bd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 77deb81d3c3007a55a52a69f93ded6b16e1ee23058173efabfc5afe61c7d234a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5D21B0B16146016FDB11AFF8CC86DEB32EDEB99A58725082DF516CB341EB20CCC18B51
                                                                                                                                                                                    Function 00405322 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,0042F1FB,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000,?), ref: 0040535A
                                                                                                                                                                                    • lstrlenW.KERNEL32(0040327A,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,0042F1FB,771B23A0,?,?,?,?,?,?,?,?,?,0040327A,00000000), ref: 0040536A
                                                                                                                                                                                    • lstrcatW.KERNEL32(Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,0040327A,0040327A,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,0042F1FB,771B23A0), ref: 0040537D
                                                                                                                                                                                    • SetWindowTextW.USER32(Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true), ref: 0040538F
                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004053B5
                                                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004053CF
                                                                                                                                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 004053DD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$lstrlen$TextWindowlstrcat
                                                                                                                                                                                    • String ID: Execute: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true
                                                                                                                                                                                    • API String ID: 2531174081-1786551594
                                                                                                                                                                                    • Opcode ID: 03d69ce82fc4e5908464ead601bb3ac1f64f2a51dd32175340e58c4215b781fb
                                                                                                                                                                                    • Instruction ID: c4a8b4fbc7344707c8dcd13f789004ac01d88f238d1262f53b2d1dabcf784db2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 03d69ce82fc4e5908464ead601bb3ac1f64f2a51dd32175340e58c4215b781fb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1F21A171900518BBCB11AFA5DD849CFBFB9EF45350F10807AF904B62A0C7B94A80DFA8
                                                                                                                                                                                    Function 703E1530 Relevance: 13.6, APIs: 9, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 703E153C
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000001), ref: 703E1544
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 703E155B
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000000), ref: 703E1565
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 703E157E
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 703E158B
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 703E1599
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 703E15A0
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,?,?,75A523D0,?,?,703E1AE6), ref: 703E15AF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MetricsSystem$Window
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1155976603-0
                                                                                                                                                                                    • Opcode ID: 252c45df7ce511f307c005a2fea5f1b3c0e9865779f5b88b5bc476a17cd8c47e
                                                                                                                                                                                    • Instruction ID: 0ac27c233276b3f89a07edd0a4433e91a4e1c994ba96028b178460ca1827dda6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 252c45df7ce511f307c005a2fea5f1b3c0e9865779f5b88b5bc476a17cd8c47e
                                                                                                                                                                                    • Instruction Fuzzy Hash: E2019BA3B406186FE250D7BDDD89FA63A9ECBC8745F1A0231F708C71D4E9E4AC044750
                                                                                                                                                                                    Function 6EE05AA8 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 218windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(6EE19550,6EE1959C), ref: 6EE05AD4
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6EE19550), ref: 6EE05D43
                                                                                                                                                                                      • Part of subcall function 6EE05A5E: RaiseException.KERNEL32(0000046B,00000001,00000000,00000000,6EE05B0F), ref: 6EE05A70
                                                                                                                                                                                      • Part of subcall function 6EE05A5E: LeaveCriticalSection.KERNEL32(?,6EE05B0F), ref: 6EE05A78
                                                                                                                                                                                      • Part of subcall function 6EE06819: GetModuleFileNameW.KERNEL32(6EE00000,?,00000104,?,?,?), ref: 6EE06844
                                                                                                                                                                                      • Part of subcall function 6EE06819: _snwprintf.MSVCRT ref: 6EE0687C
                                                                                                                                                                                      • Part of subcall function 6EE06819: FatalAppExitW.KERNEL32(00000000,?), ref: 6EE06892
                                                                                                                                                                                      • Part of subcall function 6EE06819: GetCurrentProcess.KERNEL32(000000FF), ref: 6EE06896
                                                                                                                                                                                      • Part of subcall function 6EE06819: TerminateProcess.KERNEL32(00000000), ref: 6EE06899
                                                                                                                                                                                      • Part of subcall function 6EE06819: FatalAppExitW.KERNEL32(00000000,This is not a valid Win32 application!), ref: 6EE068A2
                                                                                                                                                                                      • Part of subcall function 6EE06819: GetCurrentProcess.KERNEL32(000000FF), ref: 6EE068A6
                                                                                                                                                                                      • Part of subcall function 6EE06819: TerminateProcess.KERNEL32(00000000), ref: 6EE068A9
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000000), ref: 6EE05B1B
                                                                                                                                                                                      • Part of subcall function 6EE06619: GetModuleHandleW.KERNEL32(ntdll,?,?,6EE05B2F), ref: 6EE06620
                                                                                                                                                                                      • Part of subcall function 6EE06619: GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 6EE06635
                                                                                                                                                                                      • Part of subcall function 6EE06619: memset.MSVCRT ref: 6EE06645
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,GetVersionEx() has failed, cannot detect Windows version!,StdUtils::get_real_os_version,00040010), ref: 6EE05B4C
                                                                                                                                                                                      • Part of subcall function 6EE066CA: memset.MSVCRT ref: 6EE066E5
                                                                                                                                                                                      • Part of subcall function 6EE066CA: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,?,00000004,?), ref: 6EE06721
                                                                                                                                                                                      • Part of subcall function 6EE066CA: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003,?,00000004,?), ref: 6EE06729
                                                                                                                                                                                      • Part of subcall function 6EE066CA: VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003,?,00000004,?), ref: 6EE06731
                                                                                                                                                                                      • Part of subcall function 6EE066CA: VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000020,00000003,?,00000001,00000003,?,00000004,?), ref: 6EE06739
                                                                                                                                                                                      • Part of subcall function 6EE066CA: GetLastError.KERNEL32(00000003,?,00000001,00000003,?,00000004,?), ref: 6EE06755
                                                                                                                                                                                      • Part of subcall function 6EE066CA: MessageBoxW.USER32(00000000,VerifyVersionInfo() has failed, cannot test Windows version!,StdUtils::verify_os_version,00040010), ref: 6EE0677A
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 6EE05B5E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • GetVersionEx() has failed, cannot detect Windows version!, xrefs: 6EE05B45
                                                                                                                                                                                    • StdUtils::get_real_os_version, xrefs: 6EE05B40
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ConditionCriticalMaskProcessSection$LeaveModule$CurrentExitFatalHandleMessageTerminatememset$AddressEnterErrorExceptionFileLastNameProcRaise_snwprintf
                                                                                                                                                                                    • String ID: GetVersionEx() has failed, cannot detect Windows version!$StdUtils::get_real_os_version
                                                                                                                                                                                    • API String ID: 391845093-798312201
                                                                                                                                                                                    • Opcode ID: 2d027ca5d166da3b72cff1221fdca0add8b4ef8b5ecb87872b8fae3ea90c4b60
                                                                                                                                                                                    • Instruction ID: 03b0e445767fc3348d8af2154341b47607b913bba5d17d423456cfb61b8849ff
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2d027ca5d166da3b72cff1221fdca0add8b4ef8b5ecb87872b8fae3ea90c4b60
                                                                                                                                                                                    • Instruction Fuzzy Hash: 60916C74618741DFCB61CF68C4817997BF0BF0A758F204859F8999B381E331A9A9CF62
                                                                                                                                                                                    Function 6EE0E889 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 157comservicethreadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CoCreateInstance.OLE32(6EE141D8,00000000,00000004,6EE17424,?,00000001,00000003,?,?,?,?,?,?,?,dn,6EE0EAAC), ref: 6EE0E8AA
                                                                                                                                                                                    • VariantInit.OLEAUT32(?), ref: 6EE0E8C2
                                                                                                                                                                                    • IUnknown_QueryService.SHLWAPI(6EE0EAAC,6EE141C8,6EE17434,?,?,?,?,?,?,?,?,dn,6EE0EAAC,?,dn,?), ref: 6EE0E90D
                                                                                                                                                                                    • GetWindowThreadProcessId.USER32(000000FF,00000003), ref: 6EE0E95B
                                                                                                                                                                                    • AllowSetForegroundWindow.USER32(00000003), ref: 6EE0E96D
                                                                                                                                                                                    • VariantClear.OLEAUT32(?), ref: 6EE0EA16
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: VariantWindow$AllowClearCreateForegroundInitInstanceProcessQueryServiceThreadUnknown_
                                                                                                                                                                                    • String ID: dn
                                                                                                                                                                                    • API String ID: 3422427859-2095038010
                                                                                                                                                                                    • Opcode ID: 091f12c24a456764e5e2f60829bd4199909317b5e7b82cc2de23fbe729f72669
                                                                                                                                                                                    • Instruction ID: d5ddd27a0866c128dc936a8a0ab02ccdc2db67e12d5f96c67e047f9b87f150f0
                                                                                                                                                                                    • Opcode Fuzzy Hash: 091f12c24a456764e5e2f60829bd4199909317b5e7b82cc2de23fbe729f72669
                                                                                                                                                                                    • Instruction Fuzzy Hash: FF51EB74A0061AEFDF40DFE5C8489EEBBB9FF89705B20849AF515E7250D7709A42CB60
                                                                                                                                                                                    Function 6EE05D51 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 157windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(6EE19550,6EE1959C), ref: 6EE05D72
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6EE19550), ref: 6EE05D9D
                                                                                                                                                                                      • Part of subcall function 6EE066CA: memset.MSVCRT ref: 6EE066E5
                                                                                                                                                                                      • Part of subcall function 6EE066CA: VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,?,00000004,?), ref: 6EE06721
                                                                                                                                                                                      • Part of subcall function 6EE066CA: VerSetConditionMask.KERNEL32(00000000,?,00000001,00000003,?,00000004,?), ref: 6EE06729
                                                                                                                                                                                      • Part of subcall function 6EE066CA: VerSetConditionMask.KERNEL32(00000000,?,00000020,00000003,?,00000001,00000003,?,00000004,?), ref: 6EE06731
                                                                                                                                                                                      • Part of subcall function 6EE066CA: VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000020,00000003,?,00000001,00000003,?,00000004,?), ref: 6EE06739
                                                                                                                                                                                      • Part of subcall function 6EE066CA: GetLastError.KERNEL32(00000003,?,00000001,00000003,?,00000004,?), ref: 6EE06755
                                                                                                                                                                                      • Part of subcall function 6EE066CA: MessageBoxW.USER32(00000000,VerifyVersionInfo() has failed, cannot test Windows version!,StdUtils::verify_os_version,00040010), ref: 6EE0677A
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE05DBD
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,GetVersionEx() has failed, cannot detect Windows version!,StdUtils::get_real_os_buildNo,00040010), ref: 6EE05DEF
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 6EE05E01
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • StdUtils::get_real_os_buildNo, xrefs: 6EE05DE3
                                                                                                                                                                                    • GetVersionEx() has failed, cannot detect Windows version!, xrefs: 6EE05DE8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ConditionMask$CriticalSection$LeaveMessagememset$EnterErrorLast
                                                                                                                                                                                    • String ID: GetVersionEx() has failed, cannot detect Windows version!$StdUtils::get_real_os_buildNo
                                                                                                                                                                                    • API String ID: 3854406455-1406708275
                                                                                                                                                                                    • Opcode ID: 8d6b1f9f4af2a5603beae0a36c674095e3c5b8a77b84d10894548c5ab7077629
                                                                                                                                                                                    • Instruction ID: a0cb004b7d06275e8ce248b64f450889671145ba58b17a5f5a646b2afab68e1c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8d6b1f9f4af2a5603beae0a36c674095e3c5b8a77b84d10894548c5ab7077629
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7751163051C7528FCB208FF4D85478A7BE46F0A758F300959E4E1AB381D33285AECBA2
                                                                                                                                                                                    Function 6EE062B2 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 123registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 6EE05D51: EnterCriticalSection.KERNEL32(6EE19550,6EE1959C), ref: 6EE05D72
                                                                                                                                                                                      • Part of subcall function 6EE05D51: LeaveCriticalSection.KERNEL32(6EE19550), ref: 6EE05D9D
                                                                                                                                                                                    • RegOpenKeyExW.ADVAPI32(80000002,SOFTWARE\Microsoft\Windows NT\CurrentVersion,00000000,00020001,?), ref: 6EE063D6
                                                                                                                                                                                    • RegQueryValueExW.ADVAPI32(?,ReleaseId,00000000,?,?,?), ref: 6EE06409
                                                                                                                                                                                    • swscanf.MSVCRT ref: 6EE0643C
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 6EE0647F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalSection$CloseEnterLeaveOpenQueryValueswscanf
                                                                                                                                                                                    • String ID: %lu$ReleaseId$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                                                                                                                                                    • API String ID: 4024238072-3997231445
                                                                                                                                                                                    • Opcode ID: c275ca1017a5f45806f3686c3a5fe29c92943097d6427b320cb6040a57ac930d
                                                                                                                                                                                    • Instruction ID: 844eb91635a9222bc01490b03675892181651e6d447c915279cf0ac683f7c979
                                                                                                                                                                                    • Opcode Fuzzy Hash: c275ca1017a5f45806f3686c3a5fe29c92943097d6427b320cb6040a57ac930d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E419FB14286039FDB11CF91C885A8A77F8FB86328F204A1EE495C6E90D37591D9CF52
                                                                                                                                                                                    Function 6EE13475 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 45timewindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 6EE13232: GetModuleHandleW.KERNEL32(msvcrt,6EE13482,?,?,6EE12C51), ref: 6EE13237
                                                                                                                                                                                      • Part of subcall function 6EE13232: GetProcAddress.KERNEL32(00000000,_get_heap_handle), ref: 6EE13247
                                                                                                                                                                                      • Part of subcall function 6EE13232: HeapValidate.KERNEL32(00000000,00000000,Q,n,?,6EE12C51), ref: 6EE1325A
                                                                                                                                                                                      • Part of subcall function 6EE13232: _msize.MSVCRT ref: 6EE13268
                                                                                                                                                                                    • KillTimer.USER32(?,?,00000000,?,6EE12C51), ref: 6EE1349D
                                                                                                                                                                                    • DestroyWindow.USER32(?,?,6EE12C51), ref: 6EE134A8
                                                                                                                                                                                    • InterlockedDecrement.KERNEL32(6EE19568), ref: 6EE134BB
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(?,?,6EE12C51), ref: 6EE134CD
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Whoops: Double destruction detected and prevented!,StdUtils::TimerDestroy,00040010), ref: 6EE134E7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • StdUtils::TimerDestroy, xrefs: 6EE134DC
                                                                                                                                                                                    • Whoops: Double destruction detected and prevented!, xrefs: 6EE134E1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??3@AddressDecrementDestroyHandleHeapInterlockedKillMessageModuleProcTimerValidateWindow_msize
                                                                                                                                                                                    • String ID: StdUtils::TimerDestroy$Whoops: Double destruction detected and prevented!
                                                                                                                                                                                    • API String ID: 2361373538-1791884560
                                                                                                                                                                                    • Opcode ID: 55e0c59e2510d78810fb0ae2c5c2f2fe44ac8b7f5b9a02e3f816c88073c1de2a
                                                                                                                                                                                    • Instruction ID: 1ea991882f44b227b4e6e8afaff302ca116c533f55e1151f80accc44044fb666
                                                                                                                                                                                    • Opcode Fuzzy Hash: 55e0c59e2510d78810fb0ae2c5c2f2fe44ac8b7f5b9a02e3f816c88073c1de2a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 49F0287221DA52AFCF614EE4EC5C9CABB659B13329332443BF25662700C73240C2C611
                                                                                                                                                                                    Function 6EE06619 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 39libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll,?,?,6EE05B2F), ref: 6EE06620
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlGetVersion), ref: 6EE06635
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE06645
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0665E
                                                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 6EE06669
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$AddressHandleModuleProcVersion
                                                                                                                                                                                    • String ID: RtlGetVersion$ntdll
                                                                                                                                                                                    • API String ID: 3959248850-2582309562
                                                                                                                                                                                    • Opcode ID: 2f30c9947c6d768a2b357755e51f1e53e8e458a9427bdafd0552af52e8c007da
                                                                                                                                                                                    • Instruction ID: c160cda9d4c7a4612fc48fd2d786a033b7af2d563417b6d3c13082aeddd684cb
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f30c9947c6d768a2b357755e51f1e53e8e458a9427bdafd0552af52e8c007da
                                                                                                                                                                                    • Instruction Fuzzy Hash: CDF0A7B167864367EA101FF6AC4AFDB2AEC9FD230EF300029F606D5780DB20C4964166
                                                                                                                                                                                    Function 6EE13294 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(6EE19550), ref: 6EE132A0
                                                                                                                                                                                    • InterlockedExchange.KERNEL32(6EE19568,00000000), ref: 6EE132BC
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Whoops: Plug-in unloaded before all timers were destroyed!,StdUtils::TimerCreate,00040010), ref: 6EE132D7
                                                                                                                                                                                    • UnregisterClassW.USER32(?), ref: 6EE132ED
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6EE19550), ref: 6EE13303
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Whoops: Plug-in unloaded before all timers were destroyed!, xrefs: 6EE132D0
                                                                                                                                                                                    • StdUtils::TimerCreate, xrefs: 6EE132CB
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalSection$ClassEnterExchangeInterlockedLeaveMessageUnregister
                                                                                                                                                                                    • String ID: StdUtils::TimerCreate$Whoops: Plug-in unloaded before all timers were destroyed!
                                                                                                                                                                                    • API String ID: 1654513968-3010961141
                                                                                                                                                                                    • Opcode ID: de97773adf6219793cbf25b7b165bf06bb0f58d20d0e3ae91ed48c0407e69bae
                                                                                                                                                                                    • Instruction ID: a7312f655cad6df72dc2068e38646569ced630ed71ce99aabb1f424d8344c33c
                                                                                                                                                                                    • Opcode Fuzzy Hash: de97773adf6219793cbf25b7b165bf06bb0f58d20d0e3ae91ed48c0407e69bae
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6AF06868118E01AADF005FA18C0AFE93768AB0B709F510049F955FA741E76359C2D67A
                                                                                                                                                                                    Function 6EE13232 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 27librarymemoryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(msvcrt,6EE13482,?,?,6EE12C51), ref: 6EE13237
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,_get_heap_handle), ref: 6EE13247
                                                                                                                                                                                    • HeapValidate.KERNEL32(00000000,00000000,Q,n,?,6EE12C51), ref: 6EE1325A
                                                                                                                                                                                    • _msize.MSVCRT ref: 6EE13268
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleHeapModuleProcValidate_msize
                                                                                                                                                                                    • String ID: Q,n$_get_heap_handle$msvcrt
                                                                                                                                                                                    • API String ID: 1777371918-2069788394
                                                                                                                                                                                    • Opcode ID: 4563339f3ef7a8226d243b12560487883151915643b4478f2372d519daf0b136
                                                                                                                                                                                    • Instruction ID: 408c39a1c302979dc438fbd7ecb7fcae9e77d94dfe94505d3458e49749457f6f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4563339f3ef7a8226d243b12560487883151915643b4478f2372d519daf0b136
                                                                                                                                                                                    • Instruction Fuzzy Hash: 26E0483471C7016AEE102FF24D1DBD93698BB51B4AF614459F555D1744CF34C886E523
                                                                                                                                                                                    Function 00404298 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 004042B5
                                                                                                                                                                                    • GetSysColor.USER32(00000000), ref: 004042F3
                                                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 004042FF
                                                                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 0040430B
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 0040431E
                                                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 0040432E
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00404348
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 00404352
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2320649405-0
                                                                                                                                                                                    • Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                    • Instruction ID: a3c6a1d12b74a4a342abaca89036a15a37f51972f1e3113ed1cbee018e9c0b42
                                                                                                                                                                                    • Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
                                                                                                                                                                                    • Instruction Fuzzy Hash: 772156716007059BC724DF78D948B5B77F4AF81710B04893DED96A26E0D734E544CB54
                                                                                                                                                                                    Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A
                                                                                                                                                                                      • Part of subcall function 00405E91: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405EA7
                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                    • String ID: 9
                                                                                                                                                                                    • API String ID: 163830602-2366072709
                                                                                                                                                                                    • Opcode ID: 14dc679b194e2ee8669cd1598f353bf1a997ac59cdf020ac1a3b5a5ea93b2031
                                                                                                                                                                                    • Instruction ID: 75c70889326ed48cf653b65eedce39ba48716a77e36bbd16e72a3e0392bfe49c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 14dc679b194e2ee8669cd1598f353bf1a997ac59cdf020ac1a3b5a5ea93b2031
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9C511975D00219AEDF219F95DA88AAEB779FF04304F10443BE901B72D0DBB89982CB58
                                                                                                                                                                                    Function 6EE0FFE1 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 130COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE1004B
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE1005D
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE10118
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,invalid,00000000,00000000), ref: 6EE1011E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@
                                                                                                                                                                                    • String ID: 0A$invalid
                                                                                                                                                                                    • API String ID: 1827009568-1465345006
                                                                                                                                                                                    • Opcode ID: cea03d7a2b4b029f05063d576c750417181c5de80b68e46018ba7cf818b108d3
                                                                                                                                                                                    • Instruction ID: 20ec8858b61cb976ddd68a777d65037c79e36b096008e8db15c67a5ae1cc2873
                                                                                                                                                                                    • Opcode Fuzzy Hash: cea03d7a2b4b029f05063d576c750417181c5de80b68e46018ba7cf818b108d3
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5C31D5713285024FDB159EACCC42AEB33AADB49758B21882EE815DB348F731D8E18750
                                                                                                                                                                                    Function 6EE06EC2 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 69windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Inconsistent state detected, going to abort!,StdUtils::HashFunction_Update,00040010), ref: 6EE06F67
                                                                                                                                                                                    • abort.MSVCRT(?,6EE11E86,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 6EE06F6D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Blake2_Update internal error, going to abort!, xrefs: 6EE06F4F
                                                                                                                                                                                    • StdUtils::HashFunction_Update, xrefs: 6EE06F5B
                                                                                                                                                                                    • StdUtils::HashFunction_Update, xrefs: 6EE06F4A
                                                                                                                                                                                    • Inconsistent state detected, going to abort!, xrefs: 6EE06F60
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Messageabort
                                                                                                                                                                                    • String ID: Blake2_Update internal error, going to abort!$Inconsistent state detected, going to abort!$StdUtils::HashFunction_Update$StdUtils::HashFunction_Update
                                                                                                                                                                                    • API String ID: 372540446-3600407960
                                                                                                                                                                                    • Opcode ID: 2ec17ba2169ea7d14c9d9f2c12961cc408e6713fdb97930b266daac7e8eabb12
                                                                                                                                                                                    • Instruction ID: aed5102f06cc3df0188f72b342970160e98106ea31af1f4383315d7a43f4e85b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ec17ba2169ea7d14c9d9f2c12961cc408e6713fdb97930b266daac7e8eabb12
                                                                                                                                                                                    • Instruction Fuzzy Hash: C91191F2468612AFDB245BF4EC04FEB33BCAB44301B34482FF292A5D40DB32E5695624
                                                                                                                                                                                    Function 6EE06FA1 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 61windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Blake2_Final internal error, going to abort!,StdUtils::HashFunction_Final,00040010), ref: 6EE0702A
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Inconsistent state detected, going to abort!,StdUtils::HashFunction_Final,00040010), ref: 6EE07048
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Inconsistent state detected, going to abort!, xrefs: 6EE07041
                                                                                                                                                                                    • Blake2_Final internal error, going to abort!, xrefs: 6EE07023
                                                                                                                                                                                    • StdUtils::HashFunction_Final, xrefs: 6EE0703C
                                                                                                                                                                                    • StdUtils::HashFunction_Final, xrefs: 6EE0701E
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message
                                                                                                                                                                                    • String ID: Blake2_Final internal error, going to abort!$Inconsistent state detected, going to abort!$StdUtils::HashFunction_Final$StdUtils::HashFunction_Final
                                                                                                                                                                                    • API String ID: 2030045667-160346839
                                                                                                                                                                                    • Opcode ID: f7573f1cbb25d5de81650ea80e2e8095be4c78c40e8181e6cc4e819cbfde0b12
                                                                                                                                                                                    • Instruction ID: 21cfb615f8cde0a4ae019e72e52a00469b48420b8447bde250fcdd66613c1494
                                                                                                                                                                                    • Opcode Fuzzy Hash: f7573f1cbb25d5de81650ea80e2e8095be4c78c40e8181e6cc4e819cbfde0b12
                                                                                                                                                                                    • Instruction Fuzzy Hash: BA012BB215C622DBD7106BE9AC16FDA33E8AB07319B31042EE545B9A84C72268E24665
                                                                                                                                                                                    Function 6EE07336 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 56libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0734A
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(shell32), ref: 6EE0735C
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(shell32), ref: 6EE0736E
                                                                                                                                                                                    • LoadStringW.USER32(?,?,?,?), ref: 6EE07396
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 6EE073B8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: LibraryLoad$FreeHandleModuleStringmemset
                                                                                                                                                                                    • String ID: shell32
                                                                                                                                                                                    • API String ID: 444683323-4179111565
                                                                                                                                                                                    • Opcode ID: f0a41071cff6008fbb52064a722bd6313f9c036902fe3a2bf4945331fe9bff29
                                                                                                                                                                                    • Instruction ID: 026376c6a0387c888d1374bc2d3006ad1941c7969a17b66c9c915ee8cccb11e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: f0a41071cff6008fbb52064a722bd6313f9c036902fe3a2bf4945331fe9bff29
                                                                                                                                                                                    • Instruction Fuzzy Hash: FF11E370418245BFEF025FE9CC46BCD7FB8AF06318F2041A5EC55922D0E37589A6CB21
                                                                                                                                                                                    Function 00404BEC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404C07
                                                                                                                                                                                    • GetMessagePos.USER32 ref: 00404C0F
                                                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404C29
                                                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404C3B
                                                                                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404C61
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                                                                                                    • String ID: f
                                                                                                                                                                                    • API String ID: 41195575-1993550816
                                                                                                                                                                                    • Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                    • Instruction ID: 457ccdd811883e010b73e4973708530e0d9e00004b69c5e73a61d7a3cd07de8f
                                                                                                                                                                                    • Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
                                                                                                                                                                                    • Instruction Fuzzy Hash: CF015271900218BAEB10DBA4DD85BFEBBBCAF95711F10412BBA50B71D0D7B499018BA4
                                                                                                                                                                                    Function 6EE0678B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 48windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE067A6
                                                                                                                                                                                    • VerSetConditionMask.KERNEL32(00000000,00000000,00000004,00000003,?,7FFFFFFF,?), ref: 6EE067C3
                                                                                                                                                                                      • Part of subcall function 6EE06678: GetModuleHandleW.KERNEL32(ntdll,?,6EE0674B,?,0000002B,00000000,?,?,00000008,00000001,?,00000020,00000003,?,00000001,00000003), ref: 6EE06680
                                                                                                                                                                                      • Part of subcall function 6EE06678: GetProcAddress.KERNEL32(00000000,RtlVerifyVersionInfo), ref: 6EE06690
                                                                                                                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,7FFFFFFF,?), ref: 6EE067E3
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,VerifyVersionInfo() has failed, cannot test Windows version!,StdUtils::verify_os_buildNo,00040010), ref: 6EE06808
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • VerifyVersionInfo() has failed, cannot test Windows version!, xrefs: 6EE06802
                                                                                                                                                                                    • StdUtils::verify_os_buildNo, xrefs: 6EE067FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressConditionErrorHandleLastMaskMessageModuleProcmemset
                                                                                                                                                                                    • String ID: StdUtils::verify_os_buildNo$VerifyVersionInfo() has failed, cannot test Windows version!
                                                                                                                                                                                    • API String ID: 1975654473-1721658860
                                                                                                                                                                                    • Opcode ID: 28f29f328b88165a7aa5b06b60289d6320742d403e603f86c6579da4f57e7aab
                                                                                                                                                                                    • Instruction ID: aa705375abed8a7b09b36312cd682bf64b63d8781e70aea2c9dfa65d0304fe29
                                                                                                                                                                                    • Opcode Fuzzy Hash: 28f29f328b88165a7aa5b06b60289d6320742d403e603f86c6579da4f57e7aab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4401DBF28141297BEB106BE49C8AFDB367CA70970CF100966F245F7681D2758DE046B5
                                                                                                                                                                                    Function 703E1350 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,40000000,00000000,00000000,00000002,00000002,?,00000000,?,00000000), ref: 703E1375
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000040,?,?,703E1C05,?,?), ref: 703E138E
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000020,?,?,703E1C05,?,?), ref: 703E1399
                                                                                                                                                                                    • SetWindowLongW.USER32(00000000,000000FC,703E1260), ref: 703E13A8
                                                                                                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000023,?,?,703E1C05,?,?), ref: 703E13BB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544610964.00000000703E1000.00000020.00000001.01000000.00000006.sdmp, Offset: 703E0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544441124.00000000703E0000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544798619.00000000703E3000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544854261.00000000703E5000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703e0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$AllocGlobal$CreateLong
                                                                                                                                                                                    • String ID: static
                                                                                                                                                                                    • API String ID: 1198755920-2160076837
                                                                                                                                                                                    • Opcode ID: af18c72081605a88bfd0ac2233818e3b822b595ad8c65d82eb3987c9f1313714
                                                                                                                                                                                    • Instruction ID: cffdb53342da449877d5fe9d376551bea0d957ad0a9eec2280a2bf93c828ee8f
                                                                                                                                                                                    • Opcode Fuzzy Hash: af18c72081605a88bfd0ac2233818e3b822b595ad8c65d82eb3987c9f1313714
                                                                                                                                                                                    • Instruction Fuzzy Hash: E9F0307278432076F6305766AC4FF9ABA589B84F21F310355F705BE2D0C6F8AD008798
                                                                                                                                                                                    Function 00401DB9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(?), ref: 00401DBC
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
                                                                                                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
                                                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401DEF
                                                                                                                                                                                    • CreateFontIndirectW.GDI32(0041E5D0), ref: 00401E3E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CapsCreateDeviceFontIndirectRelease
                                                                                                                                                                                    • String ID: MS Shell Dlg
                                                                                                                                                                                    • API String ID: 3808545654-76309092
                                                                                                                                                                                    • Opcode ID: 0e1e500c30e805fc948415589c08143fac03f34b0e69f739ebe91b2620e6c296
                                                                                                                                                                                    • Instruction ID: 2f87ef527a079fcd98b3174ff93e15f92fad6858fb92d4176ae60913c966d855
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0e1e500c30e805fc948415589c08143fac03f34b0e69f739ebe91b2620e6c296
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A01B575604240BFE700ABF1AE0ABDD7FB5AB55309F10887DF641B61E2DA7840458B2D
                                                                                                                                                                                    Function 703F161D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41memorylibraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,703F21EC,?,00000808), ref: 703F1635
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,703F21EC,?,00000808), ref: 703F163C
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,703F21EC,?,00000808), ref: 703F1650
                                                                                                                                                                                    • GetProcAddress.KERNEL32(!?p,00000000), ref: 703F1657
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 703F1660
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544964043.00000000703F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703F0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544917372.00000000703F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545023662.00000000703F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545076782.00000000703F6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703f0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                                                                                                                                                    • String ID: !?p
                                                                                                                                                                                    • API String ID: 1148316912-436958881
                                                                                                                                                                                    • Opcode ID: c8813946face3fc252df632dff923013beb6e47d1454eac95c627f5b37327b97
                                                                                                                                                                                    • Instruction ID: c4d8132721d386bbd41a93b0c6a97aff4053d2c142397ae4e471841d35605a47
                                                                                                                                                                                    • Opcode Fuzzy Hash: c8813946face3fc252df632dff923013beb6e47d1454eac95c627f5b37327b97
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DF0AC732061397BE62117AB8C4CD9BBE9CDF8B2F5B210215F728921A0CAA15D01D7F1
                                                                                                                                                                                    Function 00402DF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
                                                                                                                                                                                    • MulDiv.KERNEL32(06399284,00000064,0639E5A0), ref: 00402E3C
                                                                                                                                                                                    • wsprintfW.USER32 ref: 00402E4C
                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00402E5C
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E6E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • verifying installer: %d%%, xrefs: 00402E46
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                    • String ID: verifying installer: %d%%
                                                                                                                                                                                    • API String ID: 1451636040-82062127
                                                                                                                                                                                    • Opcode ID: 087799c81dd47644162d60d698aafe3a885b0c6ac9c219555e2ca42e9c1670eb
                                                                                                                                                                                    • Instruction ID: dfd142ddc65d39fdaa73b229a9921dc7c235b7e072e3123d651e00bd55f03bcf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 087799c81dd47644162d60d698aafe3a885b0c6ac9c219555e2ca42e9c1670eb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 60014F7164020CABEF209F60DE49FAE3B69AB44304F008439FA06B51E0DBB895558B98
                                                                                                                                                                                    Function 703F2569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 703F121B: GlobalAlloc.KERNEL32(00000040,?,703F123B,?,703F12DF,00000019,703F11BE,-000000A0), ref: 703F1225
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 703F2657
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 703F268C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544964043.00000000703F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703F0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544917372.00000000703F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545023662.00000000703F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545076782.00000000703F6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703f0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$Alloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1780285237-0
                                                                                                                                                                                    • Opcode ID: 2b161ac822785a49077be9a716c569fffdc8b36aad25f2a163df3e80ea408bf4
                                                                                                                                                                                    • Instruction ID: c17e39857e99ac6f18bc4895c5dede02b535251ccc9cc6d7b31d7aa43188184a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2b161ac822785a49077be9a716c569fffdc8b36aad25f2a163df3e80ea408bf4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8C31AB3210410AEFD7168F95DC94D2EBBBEFB86300320452EF642C7264CBB1B855DB61
                                                                                                                                                                                    Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00402956
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402969
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2667972263-0
                                                                                                                                                                                    • Opcode ID: ff87bf99e36aab27b6384dee017154e4bdeff7ac382f3b09721b2446f84e6f42
                                                                                                                                                                                    • Instruction ID: 85d8fb478e53a7d33050a02afe9876517184a336e4e72b82bbd0c3cba42884f9
                                                                                                                                                                                    • Opcode Fuzzy Hash: ff87bf99e36aab27b6384dee017154e4bdeff7ac382f3b09721b2446f84e6f42
                                                                                                                                                                                    • Instruction Fuzzy Hash: D121AEB1800128BBDF116FA5DE89DDE7E79EF08364F14423AF960762E0CB794C418B98
                                                                                                                                                                                    Function 6EE1339B Relevance: 9.1, APIs: 6, Instructions: 78timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateWindowExW.USER32(00000000,?,00000000,00000000,00000000,00000000,00000001,00000001,000000FD,00000000,00000000,00000000), ref: 6EE133EE
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000018,?,?,?,6EE12B75,00000000,00000000,?,?,?), ref: 6EE133FD
                                                                                                                                                                                    • SetTimer.USER32(00000000,00000000,000005DC), ref: 6EE13441
                                                                                                                                                                                    • DestroyWindow.USER32(00000000,?,6EE12B75,00000000,00000000,?,?,?), ref: 6EE1344D
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,?,6EE12B75,00000000,00000000,?,?,?), ref: 6EE13454
                                                                                                                                                                                      • Part of subcall function 6EE1330C: EnterCriticalSection.KERNEL32(6EE19550,00000000,6EE133C9,00000000,?,?,6EE12B75,00000000,00000000,?,?,?), ref: 6EE13319
                                                                                                                                                                                      • Part of subcall function 6EE1330C: RegisterClassW.USER32(?), ref: 6EE13353
                                                                                                                                                                                      • Part of subcall function 6EE1330C: LeaveCriticalSection.KERNEL32(6EE19550,?,?,6EE12B75,00000000,00000000,?,?,?), ref: 6EE1337E
                                                                                                                                                                                    • InterlockedIncrement.KERNEL32(6EE19568), ref: 6EE1346B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalSectionWindow$??2@??3@ClassCreateDestroyEnterIncrementInterlockedLeaveRegisterTimer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 510415137-0
                                                                                                                                                                                    • Opcode ID: f1d85df9c39964c0460ff1c2fa96fab5c8c81f80cc441d17ba5e55b8890ad9b2
                                                                                                                                                                                    • Instruction ID: 12fd547696c73d6227a76282206c223c241d238abe8625ef2c5b331440c8cd0e
                                                                                                                                                                                    • Opcode Fuzzy Hash: f1d85df9c39964c0460ff1c2fa96fab5c8c81f80cc441d17ba5e55b8890ad9b2
                                                                                                                                                                                    • Instruction Fuzzy Hash: D721A1B5105B15AFCB119F95C849ADB7FE8EF06764B114419F91897740C73184C2CFA1
                                                                                                                                                                                    Function 1000103F Relevance: 9.1, APIs: 6, Instructions: 55synchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • OpenProcess.KERNEL32(00100401,00000000,?,0000025E,?,00004000,?), ref: 10001054
                                                                                                                                                                                    • EnumWindows.USER32(10001007,?), ref: 10001074
                                                                                                                                                                                    • GetExitCodeProcess.KERNEL32(00000000,?), ref: 10001084
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00000BB8), ref: 1000109D
                                                                                                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 100010AE
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 100010C5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2543042678.0000000010001000.00000020.00000001.01000000.00000008.sdmp, Offset: 10000000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2542932545.0000000010000000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2543309384.0000000010002000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2543602233.0000000010004000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_10000000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Process$CloseCodeEnumExitHandleObjectOpenSingleTerminateWaitWindows
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3465249596-0
                                                                                                                                                                                    • Opcode ID: ba2bc8da3a6140de48577a9aba2e14b09a295dc7b85f115a3014824a2a14e04b
                                                                                                                                                                                    • Instruction ID: a75cb7c18b994dd6f526631e0a7af626cc5939ab073c97fe0f3ca5b5d0fb8a21
                                                                                                                                                                                    • Opcode Fuzzy Hash: ba2bc8da3a6140de48577a9aba2e14b09a295dc7b85f115a3014824a2a14e04b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3811E235A00299EFFB00DFA5CDC8AEE77BCEB456C5F014069FA4192149D7B49981CB62
                                                                                                                                                                                    Function 6EE0FC4A Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE0FCB1
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0FCC4
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0FD34
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000,00000000,00000000), ref: 6EE0FD3A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 1827009568-2007828011
                                                                                                                                                                                    • Opcode ID: a148eefaccb74f90d54c6860badfc36d947541d6b5a2519c421866cc4c7f3421
                                                                                                                                                                                    • Instruction ID: 0b61bbc3207f9f810849829daa036aa2f2e50bef31952fa48b2f4a08c003644f
                                                                                                                                                                                    • Opcode Fuzzy Hash: a148eefaccb74f90d54c6860badfc36d947541d6b5a2519c421866cc4c7f3421
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9721F031714A025BD7219F6CCC06BAB33E8EF89714B214828F852CB394EB70D9A1C789
                                                                                                                                                                                    Function 6EE0F9D6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE0FA3E
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0FA51
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0FA9A
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000,00000000,00000000), ref: 6EE0FAA0
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 1827009568-2007828011
                                                                                                                                                                                    • Opcode ID: e534ab431bf51920aa4a36830bfcdbee4bd0bd7ea1b93da5a4d6810bbc6a9cf5
                                                                                                                                                                                    • Instruction ID: dcbfa239002a3d20f5b03deee0f22e2baf008adae856b7f33d7f3a25ec72ee93
                                                                                                                                                                                    • Opcode Fuzzy Hash: e534ab431bf51920aa4a36830bfcdbee4bd0bd7ea1b93da5a4d6810bbc6a9cf5
                                                                                                                                                                                    • Instruction Fuzzy Hash: DE218B317146025FDB11DFA8DC0ABAA32AC9B8A714F25482DF925DB780EB20D8A18791
                                                                                                                                                                                    Function 6EE0FAAC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE0FB14
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0FB27
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0FB69
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000,00000000,00000000), ref: 6EE0FB6F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 1827009568-2007828011
                                                                                                                                                                                    • Opcode ID: 89518bdd9cd65f19d34a102e0a43c0f57608be49ed331dbb5e725652f1fddd51
                                                                                                                                                                                    • Instruction ID: 64be371ce804cc84cda683031eec039bd13f630617b025c092b713726a96a19f
                                                                                                                                                                                    • Opcode Fuzzy Hash: 89518bdd9cd65f19d34a102e0a43c0f57608be49ed331dbb5e725652f1fddd51
                                                                                                                                                                                    • Instruction Fuzzy Hash: A721AE317046025FDB11DF6CCC56BAA32E89B8A714F25442DF525CB794EB20D8A1CB81
                                                                                                                                                                                    Function 6EE0FB7B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 75COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000), ref: 6EE0FBE2
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0FBF5
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0FC39
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00002000,00000000,00000000,00000000), ref: 6EE0FC3F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memset$??2@??3@
                                                                                                                                                                                    • String ID: 0A
                                                                                                                                                                                    • API String ID: 1827009568-2007828011
                                                                                                                                                                                    • Opcode ID: 914d9c00e4cd07e8f2e7c81b4cea8da70ff29b068901494178b16539d5b0182c
                                                                                                                                                                                    • Instruction ID: 9d3e4cdd2e5541351eb31d2830f98d19dd59955c4403ff88969aa54fdc690634
                                                                                                                                                                                    • Opcode Fuzzy Hash: 914d9c00e4cd07e8f2e7c81b4cea8da70ff29b068901494178b16539d5b0182c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5021F031704A025FDB16DF68CC07BDA32E8DF0A314F204428F915CB380EB20D8A1CB89
                                                                                                                                                                                    Function 0040654E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,00000000,004DF000,004DF000,004CB000,0040336A,004DF000,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065B1
                                                                                                                                                                                    • CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004065C0
                                                                                                                                                                                    • CharNextW.USER32(?,00000000,004DF000,004DF000,004CB000,0040336A,004DF000,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065C5
                                                                                                                                                                                    • CharPrevW.USER32(?,?,004DF000,004DF000,004CB000,0040336A,004DF000,771B3420,004035D9,?,00000006,00000008,0000000A), ref: 004065D8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Char$Next$Prev
                                                                                                                                                                                    • String ID: *?|<>/":
                                                                                                                                                                                    • API String ID: 589700163-165019052
                                                                                                                                                                                    • Opcode ID: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                                                                    • Instruction ID: 36fae6fd7d65e337959ab81909abbfc549fe516cf0b4c9ff473ab524d2c4c229
                                                                                                                                                                                    • Opcode Fuzzy Hash: f2dbc7d310367101a7bf5127f564121aa95c210a65fb008c6410ea5a4ac792ac
                                                                                                                                                                                    • Instruction Fuzzy Hash: B611B65580061279DB302B14BC40EB762F8EF54764F56403FED86732C8EBBC5C9292AD
                                                                                                                                                                                    Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(?,?,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,000000FF,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\System.dll,00002000,?,?,00000021), ref: 004025E8
                                                                                                                                                                                    • lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\System.dll,?,?,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,000000FF,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\System.dll,00002000,?,?,00000021), ref: 004025F3
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWidelstrlen
                                                                                                                                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\System.dll
                                                                                                                                                                                    • API String ID: 3109718747-1146743709
                                                                                                                                                                                    • Opcode ID: 991fae946bdf019a7c315e2a20c045ecd4589044c4e58f1009f440a7fe048d5b
                                                                                                                                                                                    • Instruction ID: b23dc685b5da5394ac89c8ab13f2cbf985e24fd8d9932a4f5164fd221fdd45c5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 991fae946bdf019a7c315e2a20c045ecd4589044c4e58f1009f440a7fe048d5b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 76110B72A04201BADB146FF18E89A9F76659F44398F204C3FF102F61D1EAFC89415B5D
                                                                                                                                                                                    Function 6EE0EA22 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62synchronizationthreadCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _beginthreadex.MSVCRT ref: 6EE0EA5B
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(00000000,00007530,?,?,?,?,?,?,?,?,?,?,?,76744C50), ref: 6EE0EA75
                                                                                                                                                                                    • TerminateThread.KERNEL32(00000000,00000001,?,?,?,?,?,?,?,?,?,?,?,76744C50), ref: 6EE0EA92
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,76744C50), ref: 6EE0EA99
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseHandleObjectSingleTerminateThreadWait_beginthreadex
                                                                                                                                                                                    • String ID: dn
                                                                                                                                                                                    • API String ID: 1973763741-2095038010
                                                                                                                                                                                    • Opcode ID: a7d8c93da663b85cb0730d4a9c3fe7db9c41bdd887544864d058776cc4f7cb6c
                                                                                                                                                                                    • Instruction ID: ab83eef84c9527c4b004ae5dbd6ddb598cd9e2d60d2eb7abc7a354103fa865ec
                                                                                                                                                                                    • Opcode Fuzzy Hash: a7d8c93da663b85cb0730d4a9c3fe7db9c41bdd887544864d058776cc4f7cb6c
                                                                                                                                                                                    • Instruction Fuzzy Hash: A6119972504A01AFCB009EAD8C8588F3BB8FB86334F20423AF879C62D0D3309D5247E2
                                                                                                                                                                                    Function 6EE0EE56 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 53windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,RandMinMax() was called with bad arguments!,StdUtils,00002010), ref: 6EE0EED9
                                                                                                                                                                                      • Part of subcall function 6EE137EB: wsprintfW.USER32 ref: 6EE13803
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Messagewsprintf
                                                                                                                                                                                    • String ID: 0A$RandMinMax() was called with bad arguments!$StdUtils$einval
                                                                                                                                                                                    • API String ID: 300413163-1866428257
                                                                                                                                                                                    • Opcode ID: 11b5bb2539d3bfd2f20cfc35617de050abb1dadb537d0653ff84060309ad96bf
                                                                                                                                                                                    • Instruction ID: e36561f06ddbd156904097718615a9c198a15856c25f5f4af28e627466e9cdc5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 11b5bb2539d3bfd2f20cfc35617de050abb1dadb537d0653ff84060309ad96bf
                                                                                                                                                                                    • Instruction Fuzzy Hash: A8118E70608A025BDB11DEE8D805A9677A8AB49318B21082EF556DA750DB30C8D2CB91
                                                                                                                                                                                    Function 6EE0EDB7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 50windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,RandMax() was called with bad arguments!,StdUtils,00002010), ref: 6EE0EE33
                                                                                                                                                                                      • Part of subcall function 6EE137EB: wsprintfW.USER32 ref: 6EE13803
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Messagewsprintf
                                                                                                                                                                                    • String ID: 0A$RandMax() was called with bad arguments!$StdUtils$einval
                                                                                                                                                                                    • API String ID: 300413163-2275736246
                                                                                                                                                                                    • Opcode ID: 88c96157d6738a4ad9fb49bb3b0f4ba34ea814c18e69f916e0907e26ec38441e
                                                                                                                                                                                    • Instruction ID: d213fc4f5335ff80ebb45e0f84ea1ba430a3a5fa2c942d9170f44fc147c71efe
                                                                                                                                                                                    • Opcode Fuzzy Hash: 88c96157d6738a4ad9fb49bb3b0f4ba34ea814c18e69f916e0907e26ec38441e
                                                                                                                                                                                    • Instruction Fuzzy Hash: C3018071208B025BEB019FE8D806BD677A9AF45328F20043EF515DA7A0DB71D4D2CB91
                                                                                                                                                                                    Function 6EE06678 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 31libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(ntdll,?,6EE0674B,?,0000002B,00000000,?,?,00000008,00000001,?,00000020,00000003,?,00000001,00000003), ref: 6EE06680
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,RtlVerifyVersionInfo), ref: 6EE06690
                                                                                                                                                                                    • VerifyVersionInfoW.KERNEL32(00000001,?,00000003,00000020), ref: 6EE066BC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleInfoModuleProcVerifyVersion
                                                                                                                                                                                    • String ID: RtlVerifyVersionInfo$ntdll
                                                                                                                                                                                    • API String ID: 2421535698-1699696460
                                                                                                                                                                                    • Opcode ID: 5b864ea206fd74f69ddd7d01c328681aedee57409745c00e4fd1616a5777f6a5
                                                                                                                                                                                    • Instruction ID: b31e9482f3f2736e70d91afff930100be7c4617c0a689c3ebe061bcf55f56278
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5b864ea206fd74f69ddd7d01c328681aedee57409745c00e4fd1616a5777f6a5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 00F0303112410BFBDF011FE1EC04ADA3F6ABF442487104014FA19C8660DB32D5B1AB65
                                                                                                                                                                                    Function 6EE07664 Relevance: 7.6, APIs: 5, Instructions: 133COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFileVersioncallocfreememset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 233172667-0
                                                                                                                                                                                    • Opcode ID: e5744d71f4cea20e939b40a923024d4edbdac1bee912b69d270eb46e2cfbabe0
                                                                                                                                                                                    • Instruction ID: 00a962d6f54be1b8b7fe855ed874b4bb709e4ee8cc2dc7487cb82e7a2562432a
                                                                                                                                                                                    • Opcode Fuzzy Hash: e5744d71f4cea20e939b40a923024d4edbdac1bee912b69d270eb46e2cfbabe0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 75410676A1420A9BCB15DFE8C8567CF77B4EF49358F148055E946DB380E7709E60CB90
                                                                                                                                                                                    Function 6EE0794C Relevance: 7.6, APIs: 5, Instructions: 102COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wcsicmp_wcsnicmpiswgraphwcschrwcsncpy
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3078426274-0
                                                                                                                                                                                    • Opcode ID: 5caf048454af39bbf10970991799d905f8da68d42837e73e69d96a13374a2752
                                                                                                                                                                                    • Instruction ID: 6c42a1a93228ad88dc3bcec084a86f7503fae397a5fb2190ab40a77f77a98c3b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5caf048454af39bbf10970991799d905f8da68d42837e73e69d96a13374a2752
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3431DF716246029ADF507FE488A18AA33B5EF06318761882EFD51C73C0E7309BA2C7E1
                                                                                                                                                                                    Function 6EE0785A Relevance: 7.6, APIs: 5, Instructions: 53COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(6EE19550,00000000,00000000,00000000,00000000), ref: 6EE07867
                                                                                                                                                                                    • __wgetmainargs.MSVCRT ref: 6EE07893
                                                                                                                                                                                    • GetVersion.KERNEL32 ref: 6EE078A0
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6EE19550), ref: 6EE078E4
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6EE19550), ref: 6EE078F7
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalSection$Leave$EnterVersion__wgetmainargs
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 749008033-0
                                                                                                                                                                                    • Opcode ID: 42dff7bb29bd65f7e18972e831634f4a2f6a5c4ab7956badaf53e72f9431dc49
                                                                                                                                                                                    • Instruction ID: ce693e2358f0f861f66b0820aae304cda6684552d1633860e141c73ffaae5842
                                                                                                                                                                                    • Opcode Fuzzy Hash: 42dff7bb29bd65f7e18972e831634f4a2f6a5c4ab7956badaf53e72f9431dc49
                                                                                                                                                                                    • Instruction Fuzzy Hash: ED012B204189206ADF00AFE198197ED7B685F4730DF200059D952B63C6C77A42D6D773
                                                                                                                                                                                    Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00401D63
                                                                                                                                                                                    • GetClientRect.USER32(00000000,?), ref: 00401D70
                                                                                                                                                                                    • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401DAE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1849352358-0
                                                                                                                                                                                    • Opcode ID: aa13740a01abf0a12383255fbb6bacfc07128faef757ca7dce2eb0223a04ec7c
                                                                                                                                                                                    • Instruction ID: d9fd13ec482603559a9c09f77eb5ae76b99fbdc016b4c624d38ebcad95bf5f4c
                                                                                                                                                                                    • Opcode Fuzzy Hash: aa13740a01abf0a12383255fbb6bacfc07128faef757ca7dce2eb0223a04ec7c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 28F0FF72A04518AFDB01DBE4DF88CEEB7BCEB48341B14047AF641F61A0CA749D519B78
                                                                                                                                                                                    Function 00404ADE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(00450248,00450248,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404B7F
                                                                                                                                                                                    • wsprintfW.USER32 ref: 00404B88
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00450248), ref: 00404B9B
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                    • String ID: %u.%u%s%s
                                                                                                                                                                                    • API String ID: 3540041739-3551169577
                                                                                                                                                                                    • Opcode ID: c75ab1504dd8104253bdc04bf71218fd338cad173e8ef5afb4fab122f1cee964
                                                                                                                                                                                    • Instruction ID: 65d6ef813479b3ccfd969ec0db039784a4d8c6b5967a53089d3579ec78c560c8
                                                                                                                                                                                    • Opcode Fuzzy Hash: c75ab1504dd8104253bdc04bf71218fd338cad173e8ef5afb4fab122f1cee964
                                                                                                                                                                                    • Instruction Fuzzy Hash: 401193736041282ADB00656D9C45F9E369C9B85334F25423BFA65F21D1E979D82582E8
                                                                                                                                                                                    Function 6EE11C04 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 68windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _wcsicmp.MSVCRT ref: 6EE11D66
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,And invalid hash function has been specified!,StdUtils,00002010), ref: 6EE11D96
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • And invalid hash function has been specified!, xrefs: 6EE11D90
                                                                                                                                                                                    • StdUtils, xrefs: 6EE11D8B
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message_wcsicmp
                                                                                                                                                                                    • String ID: And invalid hash function has been specified!$StdUtils
                                                                                                                                                                                    • API String ID: 269843332-1797804575
                                                                                                                                                                                    • Opcode ID: b74ed7c07fcabdd79568a13ea28fcdeddb61a7097647ca60fad8f0af7a556f1d
                                                                                                                                                                                    • Instruction ID: 9e58f24f26d69316ce3a3b5433995248ba7a1f24d061dd8b421fef41dbf22877
                                                                                                                                                                                    • Opcode Fuzzy Hash: b74ed7c07fcabdd79568a13ea28fcdeddb61a7097647ca60fad8f0af7a556f1d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 10316EB0519E419EEF00CFA5E987BC53AB5B343359F20422AD251AAB90E37740C6CF69
                                                                                                                                                                                    Function 6EE0724B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 66windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Output buffer is too small to hold the hash value!,StdUtils::HashUtils,00040010), ref: 6EE072F6
                                                                                                                                                                                      • Part of subcall function 6EE06CBA: memset.MSVCRT ref: 6EE06CCA
                                                                                                                                                                                      • Part of subcall function 6EE134F1: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,?,?,6EE101BF,00000000,00000000), ref: 6EE1350F
                                                                                                                                                                                      • Part of subcall function 6EE134F1: ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,?,?,6EE101BF,00000000,00000000,00000000), ref: 6EE13518
                                                                                                                                                                                      • Part of subcall function 6EE134F1: WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,6EE101BF,00000000,00000000,00000000), ref: 6EE1352F
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00000000), ref: 6EE072B8
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Output buffer is too small to hold the hash value!, xrefs: 6EE072EF
                                                                                                                                                                                    • StdUtils::HashUtils, xrefs: 6EE072EA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$??2@??3@Messagememset
                                                                                                                                                                                    • String ID: Output buffer is too small to hold the hash value!$StdUtils::HashUtils
                                                                                                                                                                                    • API String ID: 917187386-2810855571
                                                                                                                                                                                    • Opcode ID: de949198e4968681102e8693449e671e6572f27073a18d461beda89037f79db4
                                                                                                                                                                                    • Instruction ID: dfcd1de58c97a2280c121ca5e47ea290bc851be6ae9dfea87888efaeda10b10f
                                                                                                                                                                                    • Opcode Fuzzy Hash: de949198e4968681102e8693449e671e6572f27073a18d461beda89037f79db4
                                                                                                                                                                                    • Instruction Fuzzy Hash: C01190722186055BC700BAE8DC45BDA3799DB87328F300619FC54A77C0CFB19DAAC291
                                                                                                                                                                                    Function 6EE12B04 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _snwprintf
                                                                                                                                                                                    • String ID: 0A$TimerId:%08X$error
                                                                                                                                                                                    • API String ID: 3988819677-3919555845
                                                                                                                                                                                    • Opcode ID: 5e7b0f0b5dfc003a376a0c5c5dc6d2f7ce312a05b415cbd95cc0ca4a1c70e9ea
                                                                                                                                                                                    • Instruction ID: ab67ec421e030d9d66b71954f2d38fae83b8d8def20209788da1732876b19238
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e7b0f0b5dfc003a376a0c5c5dc6d2f7ce312a05b415cbd95cc0ca4a1c70e9ea
                                                                                                                                                                                    • Instruction Fuzzy Hash: 18117371A04606ABDF11DFE9CC09EDA37ACAF0A368B114429F915E7340E731D491CBA1
                                                                                                                                                                                    Function 6EE0129F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000003,00000000,?,6EE1036D,00000000,00000000,00000000), ref: 6EE012D1
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE012F0
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000,00000000,00000000,00000003,6EE1036D,00000000,00000000,00000000), ref: 6EE012F6
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@, xrefs: 6EE012AC
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ??2@??3@memset
                                                                                                                                                                                    • String ID: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@>@@@?456789:;<=@@@@@@@
                                                                                                                                                                                    • API String ID: 808632339-1856702088
                                                                                                                                                                                    • Opcode ID: c176b6aa29dc05238b5d8f048ecee2c4f87e2c93bd6c831d98ba3c47fdf98ba7
                                                                                                                                                                                    • Instruction ID: c5c8eabba5060a90968738883be95032bc34fa15c994c8b5b63e2aa7eb88510b
                                                                                                                                                                                    • Opcode Fuzzy Hash: c176b6aa29dc05238b5d8f048ecee2c4f87e2c93bd6c831d98ba3c47fdf98ba7
                                                                                                                                                                                    • Instruction Fuzzy Hash: AAF0F6711082015FD3109FE8DDC5B2B77E8EBC171EF340C1DF481CA281D765959AE622
                                                                                                                                                                                    Function 6EE06BEF Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,Inconsistent state detected, going to abort!,StdUtils::Blake2_Size,00040010), ref: 6EE06C0E
                                                                                                                                                                                    • abort.MSVCRT ref: 6EE06C14
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • StdUtils::Blake2_Size, xrefs: 6EE06C02
                                                                                                                                                                                    • Inconsistent state detected, going to abort!, xrefs: 6EE06C07
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Messageabort
                                                                                                                                                                                    • String ID: Inconsistent state detected, going to abort!$StdUtils::Blake2_Size
                                                                                                                                                                                    • API String ID: 372540446-3734068583
                                                                                                                                                                                    • Opcode ID: 2f890f7c4df7ca4620862a4a8c3675ffcef790b28a2d8d08767884a744777818
                                                                                                                                                                                    • Instruction ID: 8824776f21819cab574b38c696f1ab97e0f6b40877d9da76a3aa98620436ccaf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2f890f7c4df7ca4620862a4a8c3675ffcef790b28a2d8d08767884a744777818
                                                                                                                                                                                    • Instruction Fuzzy Hash: A3E012B12B560B25FC9006949D67BD42A12E395B6BFB04941F725DCAD9DBD080D0F014
                                                                                                                                                                                    Function 6EE082BE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 26libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • srand.MSVCRT ref: 6EE082DD
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(?,6EE0ED33,?,6EE1959C,?,6EE0EDAE,00000000), ref: 6EE082EA
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,SystemFunction036), ref: 6EE082FA
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressHandleModuleProcsrand
                                                                                                                                                                                    • String ID: SystemFunction036
                                                                                                                                                                                    • API String ID: 2512791500-2669272182
                                                                                                                                                                                    • Opcode ID: e6675888b2f5f2a8e30d4385a135afce43b3f3ba5a2c6fb12dd66a77d9004d2d
                                                                                                                                                                                    • Instruction ID: 9882c196c3eb2ffca76093eafd3207234a50aaff3f11b47252ad39b8e7049daa
                                                                                                                                                                                    • Opcode Fuzzy Hash: e6675888b2f5f2a8e30d4385a135afce43b3f3ba5a2c6fb12dd66a77d9004d2d
                                                                                                                                                                                    • Instruction Fuzzy Hash: ECE0D135514E524FDB415FF5CD195D236DCAF0721D321053DE555D3744EB3084D2CA96
                                                                                                                                                                                    Function 6EE0A6D4 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,?,?,00001000), ref: 6EE0A700
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,00001000), ref: 6EE0A76C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: @$@
                                                                                                                                                                                    • API String ID: 3510742995-149943524
                                                                                                                                                                                    • Opcode ID: a36ba991c608406db8cffdd347e1d060245d3c2f916d169fcbcb4ea6cb3fd604
                                                                                                                                                                                    • Instruction ID: e957387705f91ca1f1eb0addffbdf1699df12b0f0b303f2017476c27cef959a6
                                                                                                                                                                                    • Opcode Fuzzy Hash: a36ba991c608406db8cffdd347e1d060245d3c2f916d169fcbcb4ea6cb3fd604
                                                                                                                                                                                    • Instruction Fuzzy Hash: 28116A72940319ABDF058FA8D8846DE3379FF04764F24892AFD194A241F7B5CAA0CB80
                                                                                                                                                                                    Function 6EE0E75F Relevance: 6.1, APIs: 4, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(00000000,00000000), ref: 6EE0E76D
                                                                                                                                                                                    • memset.MSVCRT ref: 6EE0E797
                                                                                                                                                                                    • GetVersionExW.KERNEL32(?,?,?,76744C50), ref: 6EE0E7AC
                                                                                                                                                                                    • ShellExecuteW.SHELL32(?,?,00000000,?,00000000,00000001), ref: 6EE0E813
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesExecuteFileShellVersionmemset
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2081363345-0
                                                                                                                                                                                    • Opcode ID: aa302fae494c80c29e3b3636f6ab5c775041a4a425ce9d83fa9d89873370d88f
                                                                                                                                                                                    • Instruction ID: 8fb11b4851fabefb51866a110b1593847c1864d49696ec6133f1635760fe31f0
                                                                                                                                                                                    • Opcode Fuzzy Hash: aa302fae494c80c29e3b3636f6ab5c775041a4a425ce9d83fa9d89873370d88f
                                                                                                                                                                                    • Instruction Fuzzy Hash: C62177B1910619EFDF51CFD4D885BCDB7B8AB08314F2040AAE515A6290E7309BA08BA1
                                                                                                                                                                                    Function 6EE08E47 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(?,00000000,00000000,?,00001000,?,6EE06EF7,?,?,?,6EE0718F), ref: 6EE08E73
                                                                                                                                                                                    • memcpy.MSVCRT(00000000,00000000,00000000,?,00001000,?,6EE06EF7,?,?,?,6EE0718F), ref: 6EE08EDB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: @$@
                                                                                                                                                                                    • API String ID: 3510742995-149943524
                                                                                                                                                                                    • Opcode ID: f8b57ff5a7e8783ffda24da02ee1b389f4b53c6adf8c8f2f4e52eee1b8315496
                                                                                                                                                                                    • Instruction ID: 5982edd8c57244a8d8d6934a99c9dd75fdba5c041782499749de685b12597603
                                                                                                                                                                                    • Opcode Fuzzy Hash: f8b57ff5a7e8783ffda24da02ee1b389f4b53c6adf8c8f2f4e52eee1b8315496
                                                                                                                                                                                    • Instruction Fuzzy Hash: B5116D72910719AFDB05CF98CC846EA7769BF14764F104929FD194B241E3B1DAB1CB88
                                                                                                                                                                                    Function 6EE09153 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • memcpy.MSVCRT(00001000,6EE06F07,?), ref: 6EE0917F
                                                                                                                                                                                    • memcpy.MSVCRT(?,6EE06F07,00000000), ref: 6EE091E7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: memcpy
                                                                                                                                                                                    • String ID: @$@
                                                                                                                                                                                    • API String ID: 3510742995-149943524
                                                                                                                                                                                    • Opcode ID: fd5d3abbb9c9639ec2fb595519174a39645128f9095b081f92212ad495bc6e5b
                                                                                                                                                                                    • Instruction ID: 74aaaf34b83e34cc916d05d7a036b7f6b9f2fb2c2785346d526587572c1a9381
                                                                                                                                                                                    • Opcode Fuzzy Hash: fd5d3abbb9c9639ec2fb595519174a39645128f9095b081f92212ad495bc6e5b
                                                                                                                                                                                    • Instruction Fuzzy Hash: E7116072A00319ABDF048F64CC886DA3769FF44764F118429FD594B245E7B6DAA1CBC0
                                                                                                                                                                                    Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Close$Enum
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 464197530-0
                                                                                                                                                                                    • Opcode ID: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
                                                                                                                                                                                    • Instruction ID: fc7ade2e12cd9e993d25f9a328d8db16c9603ee1eb20de8c24b8f84b94a82c23
                                                                                                                                                                                    • Opcode Fuzzy Hash: a4e23b119c2c64eb18a4fa0724f9b8d9fe0ec592ff9815e45bdb7592abe1cef3
                                                                                                                                                                                    • Instruction Fuzzy Hash: B4116A32500109FBDF02AB90CE09FEE7B7DAF54340F100076B904B51E1E7B59E21AB68
                                                                                                                                                                                    Function 6EE13560 Relevance: 6.1, APIs: 4, Instructions: 57COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,?,?,00000000,6EE10399,00000000,00000000,00000000), ref: 6EE1357B
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,6EE10399,00000000,00000000,00000000), ref: 6EE13592
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(0000FDE9,00000000,000000FF,000000FF,00000000,00000000,00000000,6EE10399,00000000,00000000,00000000), ref: 6EE135A6
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(00000000), ref: 6EE135C2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$??2@??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 857525753-0
                                                                                                                                                                                    • Opcode ID: 2703ea26183ca3ce1f508bdef54ea737c31326b2252839e540377d87c0b235c7
                                                                                                                                                                                    • Instruction ID: bea74f41f319ff043dd0c596ad479645a60b31b753a24c7c6f58dc75f69a4388
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2703ea26183ca3ce1f508bdef54ea737c31326b2252839e540377d87c0b235c7
                                                                                                                                                                                    • Instruction Fuzzy Hash: ED0149B33085152FF71015A85C89FB7768CE7457BDF22063AF511D13D4C6408C810660
                                                                                                                                                                                    Function 6EE134F1 Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,?,?,6EE101BF,00000000,00000000), ref: 6EE1350F
                                                                                                                                                                                    • ??2@YAPAXI@Z.MSVCRT(00000000,?,00000000,?,?,?,6EE101BF,00000000,00000000,00000000), ref: 6EE13518
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(0000FDE9,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000000,?,?,?,6EE101BF,00000000,00000000,00000000), ref: 6EE1352F
                                                                                                                                                                                    • ??3@YAXPAX@Z.MSVCRT(6EE101BF,?,?,?,6EE101BF,00000000,00000000,00000000), ref: 6EE13551
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharMultiWide$??2@??3@
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 857525753-0
                                                                                                                                                                                    • Opcode ID: e5469e063034d121f2afbf7f16c121877b5eb3f166ea20c6359579df356db5be
                                                                                                                                                                                    • Instruction ID: a4bc50ed41223a0f8859a8c8c0d41532bd5c6bada2d7c1af4079788b2b06fa3c
                                                                                                                                                                                    • Opcode Fuzzy Hash: e5469e063034d121f2afbf7f16c121877b5eb3f166ea20c6359579df356db5be
                                                                                                                                                                                    • Instruction Fuzzy Hash: F1014EB210C5597FB7016E548CC8CBBB79CDB467BDB220B2AF47092290C7109C864671
                                                                                                                                                                                    Function 6EE1330C Relevance: 6.0, APIs: 4, Instructions: 48registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • EnterCriticalSection.KERNEL32(6EE19550,00000000,6EE133C9,00000000,?,?,6EE12B75,00000000,00000000,?,?,?), ref: 6EE13319
                                                                                                                                                                                    • RegisterClassW.USER32(?), ref: 6EE13353
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6EE19550,?,?,6EE12B75,00000000,00000000,?,?,?), ref: 6EE1337E
                                                                                                                                                                                    • LeaveCriticalSection.KERNEL32(6EE19550,?,?,6EE12B75,00000000,00000000,?,?), ref: 6EE13391
                                                                                                                                                                                      • Part of subcall function 6EE0591F: EnterCriticalSection.KERNEL32(6EE19550,6EE19550,?,?,?,6EE078DB,6EE077E1), ref: 6EE0592B
                                                                                                                                                                                      • Part of subcall function 6EE0591F: LeaveCriticalSection.KERNEL32(6EE19550,?,?,?,6EE078DB), ref: 6EE0595F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalSection$Leave$Enter$ClassRegister
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1868153721-0
                                                                                                                                                                                    • Opcode ID: cb61aae2d49af11104e8c727bf7204da7f159bba0bce7585267347ccf5587c0b
                                                                                                                                                                                    • Instruction ID: a2d0bfe448af2978e49b0a6ec8aa1985d28c86d012dd4c36a31a29c8a59821cb
                                                                                                                                                                                    • Opcode Fuzzy Hash: cb61aae2d49af11104e8c727bf7204da7f159bba0bce7585267347ccf5587c0b
                                                                                                                                                                                    • Instruction Fuzzy Hash: CB01D638518654EACF009FF4D40A7DD77786F0B708B110049E461B7B40DB3206C2CB7A
                                                                                                                                                                                    Function 6EE059B1 Relevance: 6.0, APIs: 4, Instructions: 40windowsleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6EE059CD
                                                                                                                                                                                    • DispatchMessageW.USER32(?), ref: 6EE059D7
                                                                                                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6EE059E6
                                                                                                                                                                                    • Sleep.KERNEL32(00000000), ref: 6EE059ED
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$Peek$DispatchSleep
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3374569338-0
                                                                                                                                                                                    • Opcode ID: ac9aadd1be5438bb8c3f9240f36f8fb26fe14f12d46d31f383acdf0d46bba269
                                                                                                                                                                                    • Instruction ID: 5aac74cda40574f00a0bdc960e22523f9acb879dbdf82229f7fdff5ca3235995
                                                                                                                                                                                    • Opcode Fuzzy Hash: ac9aadd1be5438bb8c3f9240f36f8fb26fe14f12d46d31f383acdf0d46bba269
                                                                                                                                                                                    • Instruction Fuzzy Hash: FDF0A772A002197AEF205AF69C89DDF3A7CD7C2B59B40002AFA11E2145D754D58AC670
                                                                                                                                                                                    Function 6EE059FE Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6EE05A01
                                                                                                                                                                                      • Part of subcall function 6EE059B1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6EE059CD
                                                                                                                                                                                      • Part of subcall function 6EE059B1: DispatchMessageW.USER32(?), ref: 6EE059D7
                                                                                                                                                                                      • Part of subcall function 6EE059B1: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 6EE059E6
                                                                                                                                                                                      • Part of subcall function 6EE059B1: Sleep.KERNEL32(00000000), ref: 6EE059ED
                                                                                                                                                                                    • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,?,000005FF), ref: 6EE05A27
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 6EE05A35
                                                                                                                                                                                    • MsgWaitForMultipleObjects.USER32(00000000,00000000,00000000,?,000005FF), ref: 6EE05A50
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$CountMultipleObjectsPeekTickWait$DispatchSleep
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 550391478-0
                                                                                                                                                                                    • Opcode ID: 6aff9791d5707a52fa7119cd800b429820d2a0bb21a3c0f2c1e9b1e53e908074
                                                                                                                                                                                    • Instruction ID: fe440775719b01b45f69df3d6e6baee5b0c934aaa55d9e80f02cfbdfccf7a207
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6aff9791d5707a52fa7119cd800b429820d2a0bb21a3c0f2c1e9b1e53e908074
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1DF027B12005026FFB201AB09DC4C3B37ADEB053287710839F550C3280EB24CC5A9624
                                                                                                                                                                                    Function 00402E79 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DestroyWindow.USER32(00000000,00000000,00403059,00000001,?,00000006,00000008,0000000A), ref: 00402E8C
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 00402EAA
                                                                                                                                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402EC7
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402ED5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2102729457-0
                                                                                                                                                                                    • Opcode ID: 924f9f108daf828ee83ef716cb3535c52cefc1d4ff45c1c6af266e6598bfdb86
                                                                                                                                                                                    • Instruction ID: 9c0cd9c85579b1f1539786df4f617efd254904ce91a486f6a135d178cfad0ab8
                                                                                                                                                                                    • Opcode Fuzzy Hash: 924f9f108daf828ee83ef716cb3535c52cefc1d4ff45c1c6af266e6598bfdb86
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7AF05E30485630EBD6506B20FE0CACB7BA5FB84B41B0149BAF005B11E4D7B85880CBDC
                                                                                                                                                                                    Function 6EE116A7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: _wsetlocale
                                                                                                                                                                                    • String ID: 0A$too_long
                                                                                                                                                                                    • API String ID: 756335651-3276959144
                                                                                                                                                                                    • Opcode ID: 3f450f91500d6d201d235c170b724a3dab0f715a87597cf24bab11f25cd864d2
                                                                                                                                                                                    • Instruction ID: d46a6c6c0cfdf7cd90c3be1547a6f468628c39521212ba09f47f66714dd58371
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f450f91500d6d201d235c170b724a3dab0f715a87597cf24bab11f25cd864d2
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A1182352187028B9B15CEE8D852AD637A9AF4A268B25442EE512DB754DB318885C781
                                                                                                                                                                                    Function 6EE1160D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • _wsetlocale.MSVCRT ref: 6EE11667
                                                                                                                                                                                      • Part of subcall function 6EE136D0: GlobalAlloc.KERNEL32(00000040,?,6EE1959C,6EE13818,?), ref: 6EE136E6
                                                                                                                                                                                      • Part of subcall function 6EE136D0: lstrcpynW.KERNEL32(00000004,?), ref: 6EE136FC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocGlobal_wsetlocalelstrcpyn
                                                                                                                                                                                    • String ID: 0A$error
                                                                                                                                                                                    • API String ID: 2697924176-3130266295
                                                                                                                                                                                    • Opcode ID: 53319b2b97b833dfd6c53bb5add212f9872729096b1ad3010bb3127afc913a5d
                                                                                                                                                                                    • Instruction ID: 496285688c8256aecb6512f56f9366a7da431520543f8dc2ea486a4ed9423cd7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 53319b2b97b833dfd6c53bb5add212f9872729096b1ad3010bb3127afc913a5d
                                                                                                                                                                                    • Instruction Fuzzy Hash: FE01D27431CB138F9B41DFE8D801BC23BE9AB4A3A8B20446EE415D7741DB22C4C1CBA2
                                                                                                                                                                                    Function 00405296 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 004052C5
                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 00405316
                                                                                                                                                                                      • Part of subcall function 0040427D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040428F
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                                                                                                    • Opcode ID: 7d5e46cc1e5f02d88c983cfba86e53e431cbed6f21b5100807b47a566b29449e
                                                                                                                                                                                    • Instruction ID: 334c9fee3abb3f39d596823d3a3537c7effd0098edc8ca0b3d981ed7cb288a41
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7d5e46cc1e5f02d88c983cfba86e53e431cbed6f21b5100807b47a566b29449e
                                                                                                                                                                                    • Instruction Fuzzy Hash: F9015A31100709ABEB205F51DD94A9B3B26EB84795F20507AFA007A1D1D7BA9C919E2E
                                                                                                                                                                                    Function 6EE06C2E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MessageBoxW.USER32(00000000,The specified hash type is unknown/unsupported!,StdUtils::HashUtils,00040010), ref: 6EE06C71
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • StdUtils::HashUtils, xrefs: 6EE06C65
                                                                                                                                                                                    • The specified hash type is unknown/unsupported!, xrefs: 6EE06C6A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message
                                                                                                                                                                                    • String ID: StdUtils::HashUtils$The specified hash type is unknown/unsupported!
                                                                                                                                                                                    • API String ID: 2030045667-651258368
                                                                                                                                                                                    • Opcode ID: 41f62097e5d457da74ec0b6998e7dd31c1793413553bb4d01f88bd19bf0ccb14
                                                                                                                                                                                    • Instruction ID: 861ce38f96bf0131812686236349eb383dd6a4af16606a868e20364d891c9afa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 41f62097e5d457da74ec0b6998e7dd31c1793413553bb4d01f88bd19bf0ccb14
                                                                                                                                                                                    • Instruction Fuzzy Hash: 03E04FF22D670474F96005986C27FC022118389B37F748D82F351DC5D8CBE100D4B118
                                                                                                                                                                                    Function 703F10E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 703F116A
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 703F11C7
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 703F11D9
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 703F1203
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544964043.00000000703F1000.00000020.00000001.01000000.00000004.sdmp, Offset: 703F0000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2544917372.00000000703F0000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545023662.00000000703F4000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2545076782.00000000703F6000.00000002.00000001.01000000.00000004.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_703f0000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$Alloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1780285237-0
                                                                                                                                                                                    • Opcode ID: 28ab98f667aa77a42812c2226d3b81c73f66b434f81a3705a81f4fc27d65cdc4
                                                                                                                                                                                    • Instruction ID: 4562959951758b9cf7a3324901c1b6d976a6fda9efb3db23bdfa47a593e2dd84
                                                                                                                                                                                    • Opcode Fuzzy Hash: 28ab98f667aa77a42812c2226d3b81c73f66b434f81a3705a81f4fc27d65cdc4
                                                                                                                                                                                    • Instruction Fuzzy Hash: F13160B250020AAFD7008FA6ED46A6E7BFCEB45311721052AFA46DB364EB75F941C760
                                                                                                                                                                                    Function 6EE077E1 Relevance: 5.0, APIs: 4, Instructions: 44COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2544031350.000000006EE01000.00000020.00000001.01000000.00000005.sdmp, Offset: 6EE00000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2543843752.000000006EE00000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544195600.000000006EE14000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544252559.000000006EE19000.00000004.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2544362904.000000006EE1A000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_6ee00000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CriticalSectionfree$EnterLeave
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2088343094-0
                                                                                                                                                                                    • Opcode ID: 95d97e4bd858aa10422ad9624ab92650b8fbd669c2d1864e6df0740ef28534e0
                                                                                                                                                                                    • Instruction ID: 6fd9a460ba143fb2c9257410ee7e615135ad49bf3aea09cbcfdb1164fb90634c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 95d97e4bd858aa10422ad9624ab92650b8fbd669c2d1864e6df0740ef28534e0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20012671A24E529BEF00DFAAE856BD53BA89B4321DF20005DE540E7781E7A6E8C1C771
                                                                                                                                                                                    Function 00405D15 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D25
                                                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405D3D
                                                                                                                                                                                    • CharNextA.USER32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D4E
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00405FFA,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D57
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000000.00000002.2539142256.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000000.00000002.2539022383.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539256570.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000040E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000412000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.000000000041E000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000448000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000469000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FB000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.00000000004FF000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2539378566.0000000000553000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000000.00000002.2540184864.000000000059F000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_0_2_400000_Collaboration-x64.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 190613189-0
                                                                                                                                                                                    • Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                                                    • Instruction ID: cc601e2af81a4130f3690bf6756e9ae730db34a97aa71f580e1783f9e5236296
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3DF0F631200818FFC7129FA4DD049AFBBA8EF06354B2580BAE840F7211D634DE02AF98

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:19.3%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                    Total number of Nodes:1563
                                                                                                                                                                                    Total number of Limit Nodes:32
                                                                                                                                                                                    execution_graph 3924 401941 3925 401943 3924->3925 3930 402da6 3925->3930 3931 402db2 3930->3931 3975 40657a 3931->3975 3934 401948 3936 405c49 3934->3936 4017 405f14 3936->4017 3939 405c71 DeleteFileW 3941 401951 3939->3941 3940 405c88 3942 405da8 3940->3942 4031 40653d lstrcpynW 3940->4031 3942->3941 4060 406873 FindFirstFileW 3942->4060 3944 405cae 3945 405cc1 3944->3945 3946 405cb4 lstrcatW 3944->3946 4032 405e58 lstrlenW 3945->4032 3947 405cc7 3946->3947 3950 405cd7 lstrcatW 3947->3950 3952 405ce2 lstrlenW FindFirstFileW 3947->3952 3950->3952 3952->3942 3955 405d04 3952->3955 3953 405dd1 4063 405e0c lstrlenW CharPrevW 3953->4063 3957 405d8b FindNextFileW 3955->3957 3970 405d4c 3955->3970 4036 40653d lstrcpynW 3955->4036 3957->3955 3960 405da1 FindClose 3957->3960 3958 405c01 5 API calls 3961 405de3 3958->3961 3960->3942 3962 405dfd 3961->3962 3965 405de7 3961->3965 3964 40559f 24 API calls 3962->3964 3964->3941 3965->3941 3966 40559f 24 API calls 3965->3966 3968 405df4 3966->3968 3967 405c49 60 API calls 3967->3970 3969 4062fd 36 API calls 3968->3969 3972 405dfb 3969->3972 3970->3957 3970->3967 3971 40559f 24 API calls 3970->3971 4037 405c01 3970->4037 4045 40559f 3970->4045 4056 4062fd MoveFileExW 3970->4056 3971->3957 3972->3941 3979 406587 3975->3979 3976 4067aa 3977 402dd3 3976->3977 4008 40653d lstrcpynW 3976->4008 3977->3934 3992 4067c4 3977->3992 3979->3976 3980 406778 lstrlenW 3979->3980 3981 40668f GetSystemDirectoryW 3979->3981 3985 40657a 10 API calls 3979->3985 3986 4066a2 GetWindowsDirectoryW 3979->3986 3987 406719 lstrcatW 3979->3987 3988 40657a 10 API calls 3979->3988 3989 4067c4 5 API calls 3979->3989 3990 4066d1 SHGetSpecialFolderLocation 3979->3990 4001 40640b 3979->4001 4006 406484 wsprintfW 3979->4006 4007 40653d lstrcpynW 3979->4007 3980->3979 3981->3979 3985->3980 3986->3979 3987->3979 3988->3979 3989->3979 3990->3979 3991 4066e9 SHGetPathFromIDListW CoTaskMemFree 3990->3991 3991->3979 3999 4067d1 3992->3999 3993 406847 3994 40684c CharPrevW 3993->3994 3997 40686d 3993->3997 3994->3993 3995 40683a CharNextW 3995->3993 3995->3999 3997->3934 3998 406826 CharNextW 3998->3999 3999->3993 3999->3995 3999->3998 4000 406835 CharNextW 3999->4000 4013 405e39 3999->4013 4000->3995 4009 4063aa 4001->4009 4004 40646f 4004->3979 4005 40643f RegQueryValueExW RegCloseKey 4005->4004 4006->3979 4007->3979 4008->3977 4010 4063b9 4009->4010 4011 4063c2 RegOpenKeyExW 4010->4011 4012 4063bd 4010->4012 4011->4012 4012->4004 4012->4005 4014 405e3f 4013->4014 4015 405e55 4014->4015 4016 405e46 CharNextW 4014->4016 4015->3999 4016->4014 4066 40653d lstrcpynW 4017->4066 4019 405f25 4067 405eb7 CharNextW CharNextW 4019->4067 4022 405c69 4022->3939 4022->3940 4023 4067c4 5 API calls 4029 405f3b 4023->4029 4024 405f6c lstrlenW 4025 405f77 4024->4025 4024->4029 4026 405e0c 3 API calls 4025->4026 4028 405f7c GetFileAttributesW 4026->4028 4027 406873 2 API calls 4027->4029 4028->4022 4029->4022 4029->4024 4029->4027 4030 405e58 2 API calls 4029->4030 4030->4024 4031->3944 4033 405e66 4032->4033 4034 405e78 4033->4034 4035 405e6c CharPrevW 4033->4035 4034->3947 4035->4033 4035->4034 4036->3955 4073 406008 GetFileAttributesW 4037->4073 4040 405c2e 4040->3970 4041 405c24 DeleteFileW 4043 405c2a 4041->4043 4042 405c1c RemoveDirectoryW 4042->4043 4043->4040 4044 405c3a SetFileAttributesW 4043->4044 4044->4040 4046 4055ba 4045->4046 4047 40565c 4045->4047 4048 4055d6 lstrlenW 4046->4048 4051 40657a 17 API calls 4046->4051 4047->3970 4049 4055e4 lstrlenW 4048->4049 4050 4055ff 4048->4050 4049->4047 4052 4055f6 lstrcatW 4049->4052 4053 405612 4050->4053 4054 405605 SetWindowTextW 4050->4054 4051->4048 4052->4050 4053->4047 4055 405618 SendMessageW SendMessageW SendMessageW 4053->4055 4054->4053 4055->4047 4057 40631e 4056->4057 4058 406311 4056->4058 4057->3970 4076 406183 4058->4076 4061 405dcd 4060->4061 4062 406889 FindClose 4060->4062 4061->3941 4061->3953 4062->4061 4064 405dd7 4063->4064 4065 405e28 lstrcatW 4063->4065 4064->3958 4065->4064 4066->4019 4068 405ed4 4067->4068 4069 405ee6 4067->4069 4068->4069 4070 405ee1 CharNextW 4068->4070 4071 405e39 CharNextW 4069->4071 4072 405f0a 4069->4072 4070->4072 4071->4069 4072->4022 4072->4023 4074 405c0d 4073->4074 4075 40601a SetFileAttributesW 4073->4075 4074->4040 4074->4041 4074->4042 4075->4074 4077 4061b3 4076->4077 4078 4061d9 GetShortPathNameW 4076->4078 4103 40602d GetFileAttributesW CreateFileW 4077->4103 4080 4062f8 4078->4080 4081 4061ee 4078->4081 4080->4057 4081->4080 4083 4061f6 wsprintfA 4081->4083 4082 4061bd CloseHandle GetShortPathNameW 4082->4080 4084 4061d1 4082->4084 4085 40657a 17 API calls 4083->4085 4084->4078 4084->4080 4086 40621e 4085->4086 4104 40602d GetFileAttributesW CreateFileW 4086->4104 4088 40622b 4088->4080 4089 40623a GetFileSize GlobalAlloc 4088->4089 4090 4062f1 CloseHandle 4089->4090 4091 40625c 4089->4091 4090->4080 4105 4060b0 ReadFile 4091->4105 4096 40627b lstrcpyA 4099 40629d 4096->4099 4097 40628f 4098 405f92 4 API calls 4097->4098 4098->4099 4100 4062d4 SetFilePointer 4099->4100 4112 4060df WriteFile 4100->4112 4103->4082 4104->4088 4106 4060ce 4105->4106 4106->4090 4107 405f92 lstrlenA 4106->4107 4108 405fd3 lstrlenA 4107->4108 4109 405fdb 4108->4109 4110 405fac lstrcmpiA 4108->4110 4109->4096 4109->4097 4110->4109 4111 405fca CharNextA 4110->4111 4111->4108 4113 4060fd GlobalFree 4112->4113 4113->4090 4114 4015c1 4115 402da6 17 API calls 4114->4115 4116 4015c8 4115->4116 4117 405eb7 4 API calls 4116->4117 4130 4015d1 4117->4130 4118 401631 4120 401663 4118->4120 4121 401636 4118->4121 4119 405e39 CharNextW 4119->4130 4123 401423 24 API calls 4120->4123 4141 401423 4121->4141 4125 40165b 4123->4125 4128 40164a SetCurrentDirectoryW 4128->4125 4130->4118 4130->4119 4131 401617 GetFileAttributesW 4130->4131 4133 405b08 4130->4133 4136 405a6e CreateDirectoryW 4130->4136 4145 405aeb CreateDirectoryW 4130->4145 4131->4130 4148 40690a GetModuleHandleA 4133->4148 4137 405abf GetLastError 4136->4137 4138 405abb 4136->4138 4137->4138 4139 405ace SetFileSecurityW 4137->4139 4138->4130 4139->4138 4140 405ae4 GetLastError 4139->4140 4140->4138 4142 40559f 24 API calls 4141->4142 4143 401431 4142->4143 4144 40653d lstrcpynW 4143->4144 4144->4128 4146 405afb 4145->4146 4147 405aff GetLastError 4145->4147 4146->4130 4147->4146 4149 406930 GetProcAddress 4148->4149 4150 406926 4148->4150 4152 405b0f 4149->4152 4154 40689a GetSystemDirectoryW 4150->4154 4152->4130 4153 40692c 4153->4149 4153->4152 4155 4068bc wsprintfW LoadLibraryExW 4154->4155 4155->4153 4869 401c43 4870 402d84 17 API calls 4869->4870 4871 401c4a 4870->4871 4872 402d84 17 API calls 4871->4872 4873 401c57 4872->4873 4874 401c6c 4873->4874 4875 402da6 17 API calls 4873->4875 4876 401c7c 4874->4876 4877 402da6 17 API calls 4874->4877 4875->4874 4878 401cd3 4876->4878 4879 401c87 4876->4879 4877->4876 4880 402da6 17 API calls 4878->4880 4881 402d84 17 API calls 4879->4881 4882 401cd8 4880->4882 4883 401c8c 4881->4883 4884 402da6 17 API calls 4882->4884 4885 402d84 17 API calls 4883->4885 4887 401ce1 FindWindowExW 4884->4887 4886 401c98 4885->4886 4888 401cc3 SendMessageW 4886->4888 4889 401ca5 SendMessageTimeoutW 4886->4889 4890 401d03 4887->4890 4888->4890 4889->4890 4891 404943 4892 404953 4891->4892 4893 404979 4891->4893 4898 404499 4892->4898 4901 404500 4893->4901 4897 404960 SetDlgItemTextW 4897->4893 4899 40657a 17 API calls 4898->4899 4900 4044a4 SetDlgItemTextW 4899->4900 4900->4897 4902 4045c3 4901->4902 4903 404518 GetWindowLongW 4901->4903 4903->4902 4904 40452d 4903->4904 4904->4902 4905 40455a GetSysColor 4904->4905 4906 40455d 4904->4906 4905->4906 4907 404563 SetTextColor 4906->4907 4908 40456d SetBkMode 4906->4908 4907->4908 4909 404585 GetSysColor 4908->4909 4910 40458b 4908->4910 4909->4910 4911 404592 SetBkColor 4910->4911 4912 40459c 4910->4912 4911->4912 4912->4902 4913 4045b6 CreateBrushIndirect 4912->4913 4914 4045af DeleteObject 4912->4914 4913->4902 4914->4913 4915 4028c4 4916 4028ca 4915->4916 4917 4028d2 FindClose 4916->4917 4918 402c2a 4916->4918 4917->4918 4922 4016cc 4923 402da6 17 API calls 4922->4923 4924 4016d2 GetFullPathNameW 4923->4924 4927 4016ec 4924->4927 4931 40170e 4924->4931 4925 401723 GetShortPathNameW 4926 402c2a 4925->4926 4928 406873 2 API calls 4927->4928 4927->4931 4929 4016fe 4928->4929 4929->4931 4932 40653d lstrcpynW 4929->4932 4931->4925 4931->4926 4932->4931 4933 401e4e GetDC 4934 402d84 17 API calls 4933->4934 4935 401e60 GetDeviceCaps MulDiv ReleaseDC 4934->4935 4936 402d84 17 API calls 4935->4936 4937 401e91 4936->4937 4938 40657a 17 API calls 4937->4938 4939 401ece CreateFontIndirectW 4938->4939 4940 402638 4939->4940 4941 4045cf lstrcpynW lstrlenW 4942 402950 4943 402da6 17 API calls 4942->4943 4945 40295c 4943->4945 4944 402972 4947 406008 2 API calls 4944->4947 4945->4944 4946 402da6 17 API calls 4945->4946 4946->4944 4948 402978 4947->4948 4970 40602d GetFileAttributesW CreateFileW 4948->4970 4950 402985 4951 402a3b 4950->4951 4954 4029a0 GlobalAlloc 4950->4954 4955 402a23 4950->4955 4952 402a42 DeleteFileW 4951->4952 4953 402a55 4951->4953 4952->4953 4954->4955 4956 4029b9 4954->4956 4957 4032b4 31 API calls 4955->4957 4971 4034e5 SetFilePointer 4956->4971 4959 402a30 CloseHandle 4957->4959 4959->4951 4960 4029bf 4961 4034cf ReadFile 4960->4961 4962 4029c8 GlobalAlloc 4961->4962 4963 4029d8 4962->4963 4964 402a0c 4962->4964 4965 4032b4 31 API calls 4963->4965 4966 4060df WriteFile 4964->4966 4969 4029e5 4965->4969 4967 402a18 GlobalFree 4966->4967 4967->4955 4968 402a03 GlobalFree 4968->4964 4969->4968 4970->4950 4971->4960 4972 70141000 4975 7014101b 4972->4975 4982 701415b6 4975->4982 4977 70141020 4978 70141027 GlobalAlloc 4977->4978 4979 70141024 4977->4979 4978->4979 4980 701415dd 3 API calls 4979->4980 4981 70141019 4980->4981 4984 701415bc 4982->4984 4983 701415c2 4983->4977 4984->4983 4985 701415ce GlobalFree 4984->4985 4985->4977 4986 401956 4987 402da6 17 API calls 4986->4987 4988 40195d lstrlenW 4987->4988 4989 402638 4988->4989 4624 4014d7 4625 402d84 17 API calls 4624->4625 4626 4014dd Sleep 4625->4626 4628 402c2a 4626->4628 4629 4020d8 4630 40219c 4629->4630 4631 4020ea 4629->4631 4633 401423 24 API calls 4630->4633 4632 402da6 17 API calls 4631->4632 4634 4020f1 4632->4634 4640 4022f6 4633->4640 4635 402da6 17 API calls 4634->4635 4636 4020fa 4635->4636 4637 402110 LoadLibraryExW 4636->4637 4638 402102 GetModuleHandleW 4636->4638 4637->4630 4639 402121 4637->4639 4638->4637 4638->4639 4652 406979 4639->4652 4643 402132 4646 402151 4643->4646 4647 40213a 4643->4647 4644 40216b 4645 40559f 24 API calls 4644->4645 4649 402142 4645->4649 4657 70141817 4646->4657 4648 401423 24 API calls 4647->4648 4648->4649 4649->4640 4650 40218e FreeLibrary 4649->4650 4650->4640 4699 40655f WideCharToMultiByte 4652->4699 4654 406996 4655 40699d GetProcAddress 4654->4655 4656 40212c 4654->4656 4655->4656 4656->4643 4656->4644 4658 7014184a 4657->4658 4700 70141bff 4658->4700 4660 70141851 4661 70141976 4660->4661 4662 70141862 4660->4662 4663 70141869 4660->4663 4661->4649 4750 7014243e 4662->4750 4734 70142480 4663->4734 4668 701418cd 4672 701418d3 4668->4672 4673 7014191e 4668->4673 4669 701418af 4763 70142655 4669->4763 4670 7014187f 4675 70141885 4670->4675 4681 70141890 4670->4681 4671 70141898 4684 7014188e 4671->4684 4760 70142e23 4671->4760 4782 70141666 4672->4782 4679 70142655 10 API calls 4673->4679 4675->4684 4744 70142b98 4675->4744 4685 7014190f 4679->4685 4680 701418b5 4774 70141654 4680->4774 4754 70142810 4681->4754 4684->4668 4684->4669 4691 70141965 4685->4691 4788 70142618 4685->4788 4687 70141896 4687->4684 4688 70142655 10 API calls 4688->4685 4691->4661 4693 7014196f GlobalFree 4691->4693 4693->4661 4696 70141951 4696->4691 4792 701415dd wsprintfW 4696->4792 4697 7014194a FreeLibrary 4697->4696 4699->4654 4795 701412bb GlobalAlloc 4700->4795 4702 70141c26 4796 701412bb GlobalAlloc 4702->4796 4704 70141e6b GlobalFree GlobalFree GlobalFree 4705 70141e88 4704->4705 4716 70141ed2 4704->4716 4707 7014227e 4705->4707 4713 70141e9d 4705->4713 4705->4716 4706 70141d26 GlobalAlloc 4726 70141c31 4706->4726 4708 701422a0 GetModuleHandleW 4707->4708 4707->4716 4709 701422c6 4708->4709 4710 701422b1 LoadLibraryW 4708->4710 4803 701416bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4709->4803 4710->4709 4710->4716 4711 70141d71 lstrcpyW 4715 70141d7b lstrcpyW 4711->4715 4712 70141d8f GlobalFree 4712->4726 4713->4716 4799 701412cc 4713->4799 4715->4726 4716->4660 4717 70142318 4717->4716 4721 70142325 lstrlenW 4717->4721 4718 70142126 4802 701412bb GlobalAlloc 4718->4802 4804 701416bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4721->4804 4722 70142067 GlobalFree 4722->4726 4723 701421ae 4723->4716 4731 70142216 lstrcpyW 4723->4731 4724 701422d8 4724->4717 4732 70142302 GetProcAddress 4724->4732 4726->4704 4726->4706 4726->4711 4726->4712 4726->4715 4726->4716 4726->4718 4726->4722 4726->4723 4727 70141dcd 4726->4727 4729 701412cc 2 API calls 4726->4729 4727->4726 4797 7014162f GlobalSize GlobalAlloc 4727->4797 4728 7014233f 4728->4716 4729->4726 4731->4716 4732->4717 4733 7014212f 4733->4660 4742 70142498 4734->4742 4736 701425c1 GlobalFree 4737 7014186f 4736->4737 4736->4742 4737->4670 4737->4671 4737->4684 4738 70142540 GlobalAlloc WideCharToMultiByte 4738->4736 4739 7014256b GlobalAlloc 4741 70142582 4739->4741 4740 701412cc GlobalAlloc lstrcpynW 4740->4742 4741->4736 4810 701427a4 4741->4810 4742->4736 4742->4738 4742->4739 4742->4740 4742->4741 4806 7014135a 4742->4806 4746 70142baa 4744->4746 4745 70142c4f RegOpenKeyExW 4749 70142c6d 4745->4749 4746->4745 4748 70142d39 4748->4684 4813 70142b42 4749->4813 4751 70142453 4750->4751 4752 7014245e GlobalAlloc 4751->4752 4753 70141868 4751->4753 4752->4751 4753->4663 4758 70142840 4754->4758 4755 701428ee 4757 701428f4 GlobalSize 4755->4757 4759 701428fe 4755->4759 4756 701428db GlobalAlloc 4756->4759 4757->4759 4758->4755 4758->4756 4759->4687 4761 70142e2e 4760->4761 4762 70142e6e GlobalFree 4761->4762 4817 701412bb GlobalAlloc 4763->4817 4765 701426d8 MultiByteToWideChar 4771 7014265f 4765->4771 4766 701426fa StringFromGUID2 4766->4771 4767 7014270b lstrcpynW 4767->4771 4768 7014271e wsprintfW 4768->4771 4769 70142742 GlobalFree 4769->4771 4770 70142777 GlobalFree 4770->4680 4771->4765 4771->4766 4771->4767 4771->4768 4771->4769 4771->4770 4772 70141312 2 API calls 4771->4772 4818 70141381 4771->4818 4772->4771 4822 701412bb GlobalAlloc 4774->4822 4776 70141659 4777 70141666 2 API calls 4776->4777 4778 70141663 4777->4778 4779 70141312 4778->4779 4780 70141355 GlobalFree 4779->4780 4781 7014131b GlobalAlloc lstrcpynW 4779->4781 4780->4685 4781->4780 4783 70141672 wsprintfW 4782->4783 4784 7014169f lstrcpyW 4782->4784 4787 701416b8 4783->4787 4784->4787 4787->4688 4789 70141931 4788->4789 4790 70142626 4788->4790 4789->4696 4789->4697 4790->4789 4791 70142642 GlobalFree 4790->4791 4791->4790 4793 70141312 2 API calls 4792->4793 4794 701415fe 4793->4794 4794->4691 4795->4702 4796->4726 4798 7014164d 4797->4798 4798->4727 4805 701412bb GlobalAlloc 4799->4805 4801 701412db lstrcpynW 4801->4716 4802->4733 4803->4724 4804->4728 4805->4801 4807 70141361 4806->4807 4808 701412cc 2 API calls 4807->4808 4809 7014137f 4808->4809 4809->4742 4811 701427b2 VirtualAlloc 4810->4811 4812 70142808 4810->4812 4811->4812 4812->4741 4814 70142b4d 4813->4814 4815 70142b52 GetLastError 4814->4815 4816 70142b5d 4814->4816 4815->4816 4816->4748 4817->4771 4819 701413ac 4818->4819 4820 7014138a 4818->4820 4819->4771 4820->4819 4821 70141390 lstrcpyW 4820->4821 4821->4819 4822->4776 4990 404658 4991 404670 4990->4991 4995 40478a 4990->4995 4996 404499 18 API calls 4991->4996 4992 4047f4 4993 4048be 4992->4993 4994 4047fe GetDlgItem 4992->4994 5001 404500 8 API calls 4993->5001 4997 404818 4994->4997 4998 40487f 4994->4998 4995->4992 4995->4993 4999 4047c5 GetDlgItem SendMessageW 4995->4999 5000 4046d7 4996->5000 4997->4998 5006 40483e SendMessageW LoadCursorW SetCursor 4997->5006 4998->4993 5002 404891 4998->5002 5023 4044bb EnableWindow 4999->5023 5004 404499 18 API calls 5000->5004 5005 4048b9 5001->5005 5008 4048a7 5002->5008 5009 404897 SendMessageW 5002->5009 5011 4046e4 CheckDlgButton 5004->5011 5027 404907 5006->5027 5008->5005 5013 4048ad SendMessageW 5008->5013 5009->5008 5010 4047ef 5024 4048e3 5010->5024 5021 4044bb EnableWindow 5011->5021 5013->5005 5016 404702 GetDlgItem 5022 4044ce SendMessageW 5016->5022 5018 404718 SendMessageW 5019 404735 GetSysColor 5018->5019 5020 40473e SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5018->5020 5019->5020 5020->5005 5021->5016 5022->5018 5023->5010 5025 4048f1 5024->5025 5026 4048f6 SendMessageW 5024->5026 5025->5026 5026->4992 5030 405b63 ShellExecuteExW 5027->5030 5029 40486d LoadCursorW SetCursor 5029->4998 5030->5029 5031 402b59 5032 402b60 5031->5032 5033 402bab 5031->5033 5035 402d84 17 API calls 5032->5035 5039 402ba9 5032->5039 5034 40690a 5 API calls 5033->5034 5036 402bb2 5034->5036 5037 402b6e 5035->5037 5038 402da6 17 API calls 5036->5038 5040 402d84 17 API calls 5037->5040 5041 402bbb 5038->5041 5045 402b7a 5040->5045 5041->5039 5042 402bbf IIDFromString 5041->5042 5042->5039 5043 402bce 5042->5043 5043->5039 5049 40653d lstrcpynW 5043->5049 5048 406484 wsprintfW 5045->5048 5046 402beb CoTaskMemFree 5046->5039 5048->5039 5049->5046 5050 7014170d 5051 701415b6 GlobalFree 5050->5051 5054 70141725 5051->5054 5052 7014176b GlobalFree 5053 70141740 5053->5052 5054->5052 5054->5053 5055 70141757 VirtualFree 5054->5055 5055->5052 4846 40175c 4847 402da6 17 API calls 4846->4847 4848 401763 4847->4848 4849 40605c 2 API calls 4848->4849 4850 40176a 4849->4850 4851 40605c 2 API calls 4850->4851 4851->4850 5056 401d5d 5057 402d84 17 API calls 5056->5057 5058 401d6e SetWindowLongW 5057->5058 5059 402c2a 5058->5059 4852 4028de 4853 4028e6 4852->4853 4854 4028ea FindNextFileW 4853->4854 4856 4028fc 4853->4856 4855 402943 4854->4855 4854->4856 4858 40653d lstrcpynW 4855->4858 4858->4856 5060 4056de 5061 405888 5060->5061 5062 4056ff GetDlgItem GetDlgItem GetDlgItem 5060->5062 5064 405891 GetDlgItem CreateThread CloseHandle 5061->5064 5065 4058b9 5061->5065 5105 4044ce SendMessageW 5062->5105 5064->5065 5067 4058e4 5065->5067 5068 4058d0 ShowWindow ShowWindow 5065->5068 5069 405909 5065->5069 5066 40576f 5071 405776 GetClientRect GetSystemMetrics SendMessageW SendMessageW 5066->5071 5070 405944 5067->5070 5073 4058f8 5067->5073 5074 40591e ShowWindow 5067->5074 5107 4044ce SendMessageW 5068->5107 5075 404500 8 API calls 5069->5075 5070->5069 5081 405952 SendMessageW 5070->5081 5079 4057e4 5071->5079 5080 4057c8 SendMessageW SendMessageW 5071->5080 5108 404472 5073->5108 5077 405930 5074->5077 5078 40593e 5074->5078 5076 405917 5075->5076 5083 40559f 24 API calls 5077->5083 5084 404472 SendMessageW 5078->5084 5085 4057f7 5079->5085 5086 4057e9 SendMessageW 5079->5086 5080->5079 5081->5076 5087 40596b CreatePopupMenu 5081->5087 5083->5078 5084->5070 5089 404499 18 API calls 5085->5089 5086->5085 5088 40657a 17 API calls 5087->5088 5090 40597b AppendMenuW 5088->5090 5091 405807 5089->5091 5092 405998 GetWindowRect 5090->5092 5093 4059ab TrackPopupMenu 5090->5093 5094 405810 ShowWindow 5091->5094 5095 405844 GetDlgItem SendMessageW 5091->5095 5092->5093 5093->5076 5097 4059c6 5093->5097 5098 405833 5094->5098 5099 405826 ShowWindow 5094->5099 5095->5076 5096 40586b SendMessageW SendMessageW 5095->5096 5096->5076 5100 4059e2 SendMessageW 5097->5100 5106 4044ce SendMessageW 5098->5106 5099->5098 5100->5100 5101 4059ff OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5100->5101 5103 405a24 SendMessageW 5101->5103 5103->5103 5104 405a4d GlobalUnlock SetClipboardData CloseClipboard 5103->5104 5104->5076 5105->5066 5106->5095 5107->5067 5109 404479 5108->5109 5110 40447f SendMessageW 5108->5110 5109->5110 5110->5069 5111 404ce0 5112 404cf0 5111->5112 5113 404d0c 5111->5113 5122 405b81 GetDlgItemTextW 5112->5122 5115 404d12 SHGetPathFromIDListW 5113->5115 5116 404d3f 5113->5116 5118 404d22 5115->5118 5121 404d29 SendMessageW 5115->5121 5117 404cfd SendMessageW 5117->5113 5119 40140b 2 API calls 5118->5119 5119->5121 5121->5116 5122->5117 5123 401563 5124 402ba4 5123->5124 5127 406484 wsprintfW 5124->5127 5126 402ba9 5127->5126 5128 401968 5129 402d84 17 API calls 5128->5129 5130 40196f 5129->5130 5131 402d84 17 API calls 5130->5131 5132 40197c 5131->5132 5133 402da6 17 API calls 5132->5133 5134 401993 lstrlenW 5133->5134 5136 4019a4 5134->5136 5135 4019e5 5136->5135 5140 40653d lstrcpynW 5136->5140 5138 4019d5 5138->5135 5139 4019da lstrlenW 5138->5139 5139->5135 5140->5138 5141 7014103d 5142 7014101b 5 API calls 5141->5142 5143 70141056 5142->5143 5144 40166a 5145 402da6 17 API calls 5144->5145 5146 401670 5145->5146 5147 406873 2 API calls 5146->5147 5148 401676 5147->5148 5149 402aeb 5150 402d84 17 API calls 5149->5150 5151 402af1 5150->5151 5152 40657a 17 API calls 5151->5152 5153 40292e 5151->5153 5152->5153 5154 4026ec 5155 402d84 17 API calls 5154->5155 5156 4026fb 5155->5156 5157 402745 ReadFile 5156->5157 5158 4060b0 ReadFile 5156->5158 5159 402785 MultiByteToWideChar 5156->5159 5160 40283a 5156->5160 5163 4027ab SetFilePointer MultiByteToWideChar 5156->5163 5164 40284b 5156->5164 5166 402838 5156->5166 5167 40610e SetFilePointer 5156->5167 5157->5156 5157->5166 5158->5156 5159->5156 5176 406484 wsprintfW 5160->5176 5163->5156 5165 40286c SetFilePointer 5164->5165 5164->5166 5165->5166 5168 406142 5167->5168 5169 40612a 5167->5169 5168->5156 5170 4060b0 ReadFile 5169->5170 5171 406136 5170->5171 5171->5168 5172 406173 SetFilePointer 5171->5172 5173 40614b SetFilePointer 5171->5173 5172->5168 5173->5172 5174 406156 5173->5174 5175 4060df WriteFile 5174->5175 5175->5168 5176->5166 4544 40176f 4545 402da6 17 API calls 4544->4545 4546 401776 4545->4546 4547 401796 4546->4547 4548 40179e 4546->4548 4583 40653d lstrcpynW 4547->4583 4584 40653d lstrcpynW 4548->4584 4551 40179c 4555 4067c4 5 API calls 4551->4555 4552 4017a9 4553 405e0c 3 API calls 4552->4553 4554 4017af lstrcatW 4553->4554 4554->4551 4572 4017bb 4555->4572 4556 406873 2 API calls 4556->4572 4557 406008 2 API calls 4557->4572 4559 4017cd CompareFileTime 4559->4572 4560 40188d 4562 40559f 24 API calls 4560->4562 4561 401864 4563 40559f 24 API calls 4561->4563 4580 401879 4561->4580 4565 401897 4562->4565 4563->4580 4564 40653d lstrcpynW 4564->4572 4566 4032b4 31 API calls 4565->4566 4567 4018aa 4566->4567 4568 4018be SetFileTime 4567->4568 4570 4018d0 CloseHandle 4567->4570 4568->4570 4569 40657a 17 API calls 4569->4572 4571 4018e1 4570->4571 4570->4580 4573 4018e6 4571->4573 4574 4018f9 4571->4574 4572->4556 4572->4557 4572->4559 4572->4560 4572->4561 4572->4564 4572->4569 4579 405b9d MessageBoxIndirectW 4572->4579 4582 40602d GetFileAttributesW CreateFileW 4572->4582 4575 40657a 17 API calls 4573->4575 4576 40657a 17 API calls 4574->4576 4577 4018ee lstrcatW 4575->4577 4578 401901 4576->4578 4577->4578 4578->4580 4581 405b9d MessageBoxIndirectW 4578->4581 4579->4572 4581->4580 4582->4572 4583->4551 4584->4552 5177 401a72 5178 402d84 17 API calls 5177->5178 5179 401a7b 5178->5179 5180 402d84 17 API calls 5179->5180 5181 401a20 5180->5181 5182 401573 5183 401583 ShowWindow 5182->5183 5184 40158c 5182->5184 5183->5184 5185 40159a ShowWindow 5184->5185 5186 402c2a 5184->5186 5185->5186 5187 4023f4 5188 402da6 17 API calls 5187->5188 5189 402403 5188->5189 5190 402da6 17 API calls 5189->5190 5191 40240c 5190->5191 5192 402da6 17 API calls 5191->5192 5193 402416 GetPrivateProfileStringW 5192->5193 5194 4014f5 SetForegroundWindow 5195 402c2a 5194->5195 5196 401ff6 5197 402da6 17 API calls 5196->5197 5198 401ffd 5197->5198 5199 406873 2 API calls 5198->5199 5200 402003 5199->5200 5202 402014 5200->5202 5203 406484 wsprintfW 5200->5203 5203->5202 5204 401b77 5205 402da6 17 API calls 5204->5205 5206 401b7e 5205->5206 5207 402d84 17 API calls 5206->5207 5208 401b87 wsprintfW 5207->5208 5209 402c2a 5208->5209 5210 40167b 5211 402da6 17 API calls 5210->5211 5212 401682 5211->5212 5213 402da6 17 API calls 5212->5213 5214 40168b 5213->5214 5215 402da6 17 API calls 5214->5215 5216 401694 MoveFileW 5215->5216 5217 4016a7 5216->5217 5223 4016a0 5216->5223 5219 406873 2 API calls 5217->5219 5221 4022f6 5217->5221 5218 401423 24 API calls 5218->5221 5220 4016b6 5219->5220 5220->5221 5222 4062fd 36 API calls 5220->5222 5222->5223 5223->5218 5224 4022ff 5225 402da6 17 API calls 5224->5225 5226 402305 5225->5226 5227 402da6 17 API calls 5226->5227 5228 40230e 5227->5228 5229 402da6 17 API calls 5228->5229 5230 402317 5229->5230 5231 406873 2 API calls 5230->5231 5232 402320 5231->5232 5233 402331 lstrlenW lstrlenW 5232->5233 5234 402324 5232->5234 5235 40559f 24 API calls 5233->5235 5236 40559f 24 API calls 5234->5236 5238 40232c 5234->5238 5237 40236f SHFileOperationW 5235->5237 5236->5238 5237->5234 5237->5238 5239 4019ff 5240 402da6 17 API calls 5239->5240 5241 401a06 5240->5241 5242 402da6 17 API calls 5241->5242 5243 401a0f 5242->5243 5244 401a16 lstrcmpiW 5243->5244 5245 401a28 lstrcmpW 5243->5245 5246 401a1c 5244->5246 5245->5246 5247 401000 5248 401037 BeginPaint GetClientRect 5247->5248 5249 40100c DefWindowProcW 5247->5249 5251 4010f3 5248->5251 5252 401179 5249->5252 5253 401073 CreateBrushIndirect FillRect DeleteObject 5251->5253 5254 4010fc 5251->5254 5253->5251 5255 401102 CreateFontIndirectW 5254->5255 5256 401167 EndPaint 5254->5256 5255->5256 5257 401112 6 API calls 5255->5257 5256->5252 5257->5256 5258 401d81 5259 401d94 GetDlgItem 5258->5259 5260 401d87 5258->5260 5262 401d8e 5259->5262 5261 402d84 17 API calls 5260->5261 5261->5262 5263 401dd5 GetClientRect LoadImageW SendMessageW 5262->5263 5264 402da6 17 API calls 5262->5264 5266 401e33 5263->5266 5268 401e3f 5263->5268 5264->5263 5267 401e38 DeleteObject 5266->5267 5266->5268 5267->5268 5269 401503 5270 40150b 5269->5270 5272 40151e 5269->5272 5271 402d84 17 API calls 5270->5271 5271->5272 5273 402383 5274 40238a 5273->5274 5276 40239d 5273->5276 5275 40657a 17 API calls 5274->5275 5277 402397 5275->5277 5277->5276 5278 405b9d MessageBoxIndirectW 5277->5278 5278->5276 5279 402c05 SendMessageW 5280 402c2a 5279->5280 5281 402c1f InvalidateRect 5279->5281 5281->5280 5282 404f06 GetDlgItem GetDlgItem 5283 404f58 7 API calls 5282->5283 5289 40517d 5282->5289 5284 404ff2 SendMessageW 5283->5284 5285 404fff DeleteObject 5283->5285 5284->5285 5286 405008 5285->5286 5287 40503f 5286->5287 5290 40657a 17 API calls 5286->5290 5291 404499 18 API calls 5287->5291 5288 40530b 5293 405315 SendMessageW 5288->5293 5294 40531d 5288->5294 5292 40525f 5289->5292 5316 4051ec 5289->5316 5336 404e54 SendMessageW 5289->5336 5295 405021 SendMessageW SendMessageW 5290->5295 5296 405053 5291->5296 5292->5288 5298 4052b8 SendMessageW 5292->5298 5325 405170 5292->5325 5293->5294 5304 405336 5294->5304 5305 40532f ImageList_Destroy 5294->5305 5309 405346 5294->5309 5295->5286 5297 404499 18 API calls 5296->5297 5317 405064 5297->5317 5302 4052cd SendMessageW 5298->5302 5298->5325 5299 405251 SendMessageW 5299->5292 5300 404500 8 API calls 5303 40550c 5300->5303 5307 4052e0 5302->5307 5304->5309 5310 40533f GlobalFree 5304->5310 5305->5304 5306 40513f GetWindowLongW SetWindowLongW 5312 405158 5306->5312 5319 4052f1 SendMessageW 5307->5319 5308 4054c0 5311 4054d2 ShowWindow GetDlgItem ShowWindow 5308->5311 5308->5325 5309->5308 5328 405381 5309->5328 5341 404ed4 5309->5341 5310->5309 5311->5325 5313 405175 5312->5313 5314 40515d ShowWindow 5312->5314 5335 4044ce SendMessageW 5313->5335 5334 4044ce SendMessageW 5314->5334 5316->5292 5316->5299 5317->5306 5318 4050b7 SendMessageW 5317->5318 5320 40513a 5317->5320 5322 4050f5 SendMessageW 5317->5322 5323 405109 SendMessageW 5317->5323 5318->5317 5319->5288 5320->5306 5320->5312 5322->5317 5323->5317 5325->5300 5326 40548b 5327 405496 InvalidateRect 5326->5327 5330 4054a2 5326->5330 5327->5330 5329 4053af SendMessageW 5328->5329 5333 4053c5 5328->5333 5329->5333 5330->5308 5350 404e0f 5330->5350 5332 405439 SendMessageW SendMessageW 5332->5333 5333->5326 5333->5332 5334->5325 5335->5289 5337 404eb3 SendMessageW 5336->5337 5338 404e77 GetMessagePos ScreenToClient SendMessageW 5336->5338 5340 404eab 5337->5340 5339 404eb0 5338->5339 5338->5340 5339->5337 5340->5316 5353 40653d lstrcpynW 5341->5353 5343 404ee7 5354 406484 wsprintfW 5343->5354 5345 404ef1 5346 40140b 2 API calls 5345->5346 5347 404efa 5346->5347 5355 40653d lstrcpynW 5347->5355 5349 404f01 5349->5328 5356 404d46 5350->5356 5352 404e24 5352->5308 5353->5343 5354->5345 5355->5349 5357 404d5f 5356->5357 5358 40657a 17 API calls 5357->5358 5359 404dc3 5358->5359 5360 40657a 17 API calls 5359->5360 5361 404dce 5360->5361 5362 40657a 17 API calls 5361->5362 5363 404de4 lstrlenW wsprintfW SetDlgItemTextW 5362->5363 5363->5352 4183 401389 4185 401390 4183->4185 4184 4013fe 4185->4184 4186 4013cb MulDiv SendMessageW 4185->4186 4186->4185 5364 404609 lstrlenW 5365 404628 5364->5365 5366 40462a WideCharToMultiByte 5364->5366 5365->5366 4187 40248a 4188 402da6 17 API calls 4187->4188 4189 40249c 4188->4189 4190 402da6 17 API calls 4189->4190 4191 4024a6 4190->4191 4204 402e36 4191->4204 4194 402c2a 4195 4024de 4197 4024ea 4195->4197 4208 402d84 4195->4208 4196 402da6 17 API calls 4198 4024d4 lstrlenW 4196->4198 4200 402509 RegSetValueExW 4197->4200 4211 4032b4 4197->4211 4198->4195 4202 40251f RegCloseKey 4200->4202 4202->4194 4205 402e51 4204->4205 4231 4063d8 4205->4231 4209 40657a 17 API calls 4208->4209 4210 402d99 4209->4210 4210->4197 4212 4032cd 4211->4212 4213 4032fb 4212->4213 4238 4034e5 SetFilePointer 4212->4238 4235 4034cf 4213->4235 4217 403468 4219 4034aa 4217->4219 4224 40346c 4217->4224 4218 403318 GetTickCount 4220 403452 4218->4220 4227 403367 4218->4227 4221 4034cf ReadFile 4219->4221 4220->4200 4221->4220 4222 4034cf ReadFile 4222->4227 4223 4034cf ReadFile 4223->4224 4224->4220 4224->4223 4225 4060df WriteFile 4224->4225 4225->4224 4226 4033bd GetTickCount 4226->4227 4227->4220 4227->4222 4227->4226 4228 4033e2 MulDiv wsprintfW 4227->4228 4230 4060df WriteFile 4227->4230 4229 40559f 24 API calls 4228->4229 4229->4227 4230->4227 4232 4063e7 4231->4232 4233 4063f2 RegCreateKeyExW 4232->4233 4234 4024b6 4232->4234 4233->4234 4234->4194 4234->4195 4234->4196 4236 4060b0 ReadFile 4235->4236 4237 403306 4236->4237 4237->4217 4237->4218 4237->4220 4238->4213 5367 40498a 5368 4049b6 5367->5368 5369 4049c7 5367->5369 5428 405b81 GetDlgItemTextW 5368->5428 5371 4049d3 GetDlgItem 5369->5371 5374 404a32 5369->5374 5373 4049e7 5371->5373 5372 4049c1 5376 4067c4 5 API calls 5372->5376 5377 4049fb SetWindowTextW 5373->5377 5380 405eb7 4 API calls 5373->5380 5375 404b16 5374->5375 5382 40657a 17 API calls 5374->5382 5426 404cc5 5374->5426 5375->5426 5430 405b81 GetDlgItemTextW 5375->5430 5376->5369 5381 404499 18 API calls 5377->5381 5379 404500 8 API calls 5387 404cd9 5379->5387 5388 4049f1 5380->5388 5384 404a17 5381->5384 5385 404aa6 SHBrowseForFolderW 5382->5385 5383 404b46 5386 405f14 18 API calls 5383->5386 5389 404499 18 API calls 5384->5389 5385->5375 5390 404abe CoTaskMemFree 5385->5390 5391 404b4c 5386->5391 5388->5377 5394 405e0c 3 API calls 5388->5394 5392 404a25 5389->5392 5393 405e0c 3 API calls 5390->5393 5431 40653d lstrcpynW 5391->5431 5429 4044ce SendMessageW 5392->5429 5399 404acb 5393->5399 5394->5377 5397 404a2b 5401 40690a 5 API calls 5397->5401 5398 404b02 SetDlgItemTextW 5398->5375 5399->5398 5403 40657a 17 API calls 5399->5403 5400 404b63 5402 40690a 5 API calls 5400->5402 5401->5374 5410 404b6a 5402->5410 5404 404aea lstrcmpiW 5403->5404 5404->5398 5407 404afb lstrcatW 5404->5407 5405 404bab 5432 40653d lstrcpynW 5405->5432 5407->5398 5408 404bb2 5409 405eb7 4 API calls 5408->5409 5411 404bb8 GetDiskFreeSpaceW 5409->5411 5410->5405 5414 405e58 2 API calls 5410->5414 5416 404c03 5410->5416 5413 404bdc MulDiv 5411->5413 5411->5416 5413->5416 5414->5410 5415 404c74 5418 404c97 5415->5418 5420 40140b 2 API calls 5415->5420 5416->5415 5417 404e0f 20 API calls 5416->5417 5419 404c61 5417->5419 5433 4044bb EnableWindow 5418->5433 5422 404c76 SetDlgItemTextW 5419->5422 5423 404c66 5419->5423 5420->5418 5422->5415 5425 404d46 20 API calls 5423->5425 5424 404cb3 5424->5426 5427 4048e3 SendMessageW 5424->5427 5425->5415 5426->5379 5427->5426 5428->5372 5429->5397 5430->5383 5431->5400 5432->5408 5433->5424 4272 40290b 4273 402da6 17 API calls 4272->4273 4274 402912 FindFirstFileW 4273->4274 4275 40293a 4274->4275 4279 402925 4274->4279 4277 402943 4275->4277 4280 406484 wsprintfW 4275->4280 4281 40653d lstrcpynW 4277->4281 4280->4277 4281->4279 5434 70141058 5436 70141074 5434->5436 5435 701410dd 5436->5435 5437 70141092 5436->5437 5438 701415b6 GlobalFree 5436->5438 5439 701415b6 GlobalFree 5437->5439 5438->5437 5440 701410a2 5439->5440 5441 701410b2 5440->5441 5442 701410a9 GlobalSize 5440->5442 5443 701410b6 GlobalAlloc 5441->5443 5444 701410c7 5441->5444 5442->5441 5445 701415dd 3 API calls 5443->5445 5446 701410d2 GlobalFree 5444->5446 5445->5444 5446->5435 5447 40190c 5448 401943 5447->5448 5449 402da6 17 API calls 5448->5449 5450 401948 5449->5450 5451 405c49 67 API calls 5450->5451 5452 401951 5451->5452 5453 40190f 5454 402da6 17 API calls 5453->5454 5455 401916 5454->5455 5456 405b9d MessageBoxIndirectW 5455->5456 5457 40191f 5456->5457 4585 402891 4586 402898 4585->4586 4589 402ba9 4585->4589 4587 402d84 17 API calls 4586->4587 4588 40289f 4587->4588 4590 4028ae SetFilePointer 4588->4590 4590->4589 4591 4028be 4590->4591 4593 406484 wsprintfW 4591->4593 4593->4589 5458 401491 5459 40559f 24 API calls 5458->5459 5460 401498 5459->5460 5461 401f12 5462 402da6 17 API calls 5461->5462 5463 401f18 5462->5463 5464 402da6 17 API calls 5463->5464 5465 401f21 5464->5465 5466 402da6 17 API calls 5465->5466 5467 401f2a 5466->5467 5468 402da6 17 API calls 5467->5468 5469 401f33 5468->5469 5470 401423 24 API calls 5469->5470 5471 401f3a 5470->5471 5478 405b63 ShellExecuteExW 5471->5478 5473 401f82 5474 40292e 5473->5474 5475 4069b5 5 API calls 5473->5475 5476 401f9f CloseHandle 5475->5476 5476->5474 5478->5473 5479 405513 5480 405523 5479->5480 5481 405537 5479->5481 5482 405529 5480->5482 5491 405580 5480->5491 5483 40553f IsWindowVisible 5481->5483 5489 405556 5481->5489 5485 4044e5 SendMessageW 5482->5485 5486 40554c 5483->5486 5483->5491 5484 405585 CallWindowProcW 5487 405533 5484->5487 5485->5487 5488 404e54 5 API calls 5486->5488 5488->5489 5489->5484 5490 404ed4 4 API calls 5489->5490 5490->5491 5491->5484 5492 402f93 5493 402fa5 SetTimer 5492->5493 5494 402fbe 5492->5494 5493->5494 5495 403013 5494->5495 5496 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5494->5496 5496->5495 5497 401d17 5498 402d84 17 API calls 5497->5498 5499 401d1d IsWindow 5498->5499 5500 401a20 5499->5500 5501 70142d43 5502 70142d5b 5501->5502 5503 7014162f 2 API calls 5502->5503 5504 70142d76 5503->5504 5505 403f9a 5506 403fb2 5505->5506 5507 404113 5505->5507 5506->5507 5508 403fbe 5506->5508 5509 404164 5507->5509 5510 404124 GetDlgItem GetDlgItem 5507->5510 5511 403fc9 SetWindowPos 5508->5511 5512 403fdc 5508->5512 5514 4041be 5509->5514 5523 401389 2 API calls 5509->5523 5513 404499 18 API calls 5510->5513 5511->5512 5516 403fe5 ShowWindow 5512->5516 5517 404027 5512->5517 5518 40414e SetClassLongW 5513->5518 5515 4044e5 SendMessageW 5514->5515 5529 40410e 5514->5529 5566 4041d0 5515->5566 5519 404005 GetWindowLongW 5516->5519 5544 4040d1 5516->5544 5520 404046 5517->5520 5521 40402f DestroyWindow 5517->5521 5522 40140b 2 API calls 5518->5522 5525 40401e ShowWindow 5519->5525 5519->5544 5526 40404b SetWindowLongW 5520->5526 5527 40405c 5520->5527 5575 404422 5521->5575 5522->5509 5528 404196 5523->5528 5524 404500 8 API calls 5524->5529 5525->5517 5526->5529 5532 404068 GetDlgItem 5527->5532 5527->5544 5528->5514 5533 40419a SendMessageW 5528->5533 5530 40140b 2 API calls 5530->5566 5531 404424 DestroyWindow EndDialog 5531->5575 5535 404079 SendMessageW IsWindowEnabled 5532->5535 5537 404096 5532->5537 5533->5529 5534 404453 ShowWindow 5534->5529 5535->5529 5535->5537 5536 40657a 17 API calls 5536->5566 5538 4040a3 5537->5538 5539 4040ea SendMessageW 5537->5539 5540 4040b6 5537->5540 5548 40409b 5537->5548 5538->5539 5538->5548 5539->5544 5542 4040d3 5540->5542 5543 4040be 5540->5543 5541 404472 SendMessageW 5541->5544 5546 40140b 2 API calls 5542->5546 5545 40140b 2 API calls 5543->5545 5544->5524 5545->5548 5546->5548 5547 404499 18 API calls 5547->5566 5548->5541 5548->5544 5549 404499 18 API calls 5550 40424b GetDlgItem 5549->5550 5551 404260 5550->5551 5552 404268 ShowWindow EnableWindow 5550->5552 5551->5552 5576 4044bb EnableWindow 5552->5576 5554 404292 EnableWindow 5559 4042a6 5554->5559 5555 4042ab GetSystemMenu EnableMenuItem SendMessageW 5556 4042db SendMessageW 5555->5556 5555->5559 5556->5559 5558 403f7b 18 API calls 5558->5559 5559->5555 5559->5558 5577 4044ce SendMessageW 5559->5577 5578 40653d lstrcpynW 5559->5578 5561 40430a lstrlenW 5562 40657a 17 API calls 5561->5562 5563 404320 SetWindowTextW 5562->5563 5564 401389 2 API calls 5563->5564 5564->5566 5565 404364 DestroyWindow 5567 40437e CreateDialogParamW 5565->5567 5565->5575 5566->5529 5566->5530 5566->5531 5566->5536 5566->5547 5566->5549 5566->5565 5568 4043b1 5567->5568 5567->5575 5569 404499 18 API calls 5568->5569 5570 4043bc GetDlgItem GetWindowRect ScreenToClient SetWindowPos 5569->5570 5571 401389 2 API calls 5570->5571 5572 404402 5571->5572 5572->5529 5573 40440a ShowWindow 5572->5573 5574 4044e5 SendMessageW 5573->5574 5574->5575 5575->5529 5575->5534 5576->5554 5577->5559 5578->5561 4823 401b9b 4824 401bec 4823->4824 4826 401ba8 4823->4826 4825 401c16 GlobalAlloc 4824->4825 4828 401bf1 4824->4828 4830 40657a 17 API calls 4825->4830 4827 401c31 4826->4827 4833 401bbf 4826->4833 4829 40657a 17 API calls 4827->4829 4837 40239d 4827->4837 4828->4837 4844 40653d lstrcpynW 4828->4844 4832 402397 4829->4832 4830->4827 4832->4837 4838 405b9d MessageBoxIndirectW 4832->4838 4842 40653d lstrcpynW 4833->4842 4834 401c03 GlobalFree 4834->4837 4836 401bce 4843 40653d lstrcpynW 4836->4843 4838->4837 4840 401bdd 4845 40653d lstrcpynW 4840->4845 4842->4836 4843->4840 4844->4834 4845->4837 5579 40261c 5580 402da6 17 API calls 5579->5580 5581 402623 5580->5581 5584 40602d GetFileAttributesW CreateFileW 5581->5584 5583 40262f 5584->5583 4859 40259e 4860 402de6 17 API calls 4859->4860 4861 4025a8 4860->4861 4862 402d84 17 API calls 4861->4862 4863 4025b1 4862->4863 4864 4025d9 RegEnumValueW 4863->4864 4865 4025cd RegEnumKeyW 4863->4865 4867 40292e 4863->4867 4866 4025ee RegCloseKey 4864->4866 4865->4866 4866->4867 5585 40149e 5586 4014ac PostQuitMessage 5585->5586 5587 40239d 5585->5587 5586->5587 5588 70141774 5589 701417a3 5588->5589 5590 70141bff 22 API calls 5589->5590 5591 701417aa 5590->5591 5592 701417b1 5591->5592 5593 701417bd 5591->5593 5596 70141312 2 API calls 5592->5596 5594 701417e4 5593->5594 5595 701417c7 5593->5595 5598 7014180e 5594->5598 5599 701417ea 5594->5599 5597 701415dd 3 API calls 5595->5597 5600 701417bb 5596->5600 5601 701417cc 5597->5601 5603 701415dd 3 API calls 5598->5603 5602 70141654 3 API calls 5599->5602 5604 70141654 3 API calls 5601->5604 5605 701417ef 5602->5605 5603->5600 5606 701417d2 5604->5606 5607 70141312 2 API calls 5605->5607 5608 70141312 2 API calls 5606->5608 5609 701417f5 GlobalFree 5607->5609 5610 701417d8 GlobalFree 5608->5610 5609->5600 5611 70141809 GlobalFree 5609->5611 5610->5600 5611->5600 5612 4015a3 5613 402da6 17 API calls 5612->5613 5614 4015aa SetFileAttributesW 5613->5614 5615 4015bc 5614->5615 4157 401fa4 4158 402da6 17 API calls 4157->4158 4159 401faa 4158->4159 4160 40559f 24 API calls 4159->4160 4161 401fb4 4160->4161 4170 405b20 CreateProcessW 4161->4170 4164 401fdd CloseHandle 4168 40292e 4164->4168 4167 401fcf 4167->4164 4178 406484 wsprintfW 4167->4178 4171 405b53 CloseHandle 4170->4171 4172 401fba 4170->4172 4171->4172 4172->4164 4172->4168 4173 4069b5 WaitForSingleObject 4172->4173 4174 4069cf 4173->4174 4175 4069e1 GetExitCodeProcess 4174->4175 4179 406946 4174->4179 4175->4167 4178->4164 4180 406963 PeekMessageW 4179->4180 4181 406973 WaitForSingleObject 4180->4181 4182 406959 DispatchMessageW 4180->4182 4181->4174 4182->4180 4239 40252a 4250 402de6 4239->4250 4242 402da6 17 API calls 4243 40253d 4242->4243 4244 402548 RegQueryValueExW 4243->4244 4249 40292e 4243->4249 4245 40256e RegCloseKey 4244->4245 4246 402568 4244->4246 4245->4249 4246->4245 4255 406484 wsprintfW 4246->4255 4251 402da6 17 API calls 4250->4251 4252 402dfd 4251->4252 4253 4063aa RegOpenKeyExW 4252->4253 4254 402534 4253->4254 4254->4242 4255->4245 4256 4021aa 4257 402da6 17 API calls 4256->4257 4258 4021b1 4257->4258 4259 402da6 17 API calls 4258->4259 4260 4021bb 4259->4260 4261 402da6 17 API calls 4260->4261 4262 4021c5 4261->4262 4263 402da6 17 API calls 4262->4263 4264 4021cf 4263->4264 4265 402da6 17 API calls 4264->4265 4266 4021d9 4265->4266 4267 402218 CoCreateInstance 4266->4267 4268 402da6 17 API calls 4266->4268 4271 402237 4267->4271 4268->4267 4269 401423 24 API calls 4270 4022f6 4269->4270 4271->4269 4271->4270 5616 40202a 5617 402da6 17 API calls 5616->5617 5618 402031 5617->5618 5619 40690a 5 API calls 5618->5619 5620 402040 5619->5620 5621 4020cc 5620->5621 5622 40205c GlobalAlloc 5620->5622 5622->5621 5623 402070 5622->5623 5624 40690a 5 API calls 5623->5624 5625 402077 5624->5625 5626 40690a 5 API calls 5625->5626 5627 402081 5626->5627 5627->5621 5631 406484 wsprintfW 5627->5631 5629 4020ba 5632 406484 wsprintfW 5629->5632 5631->5629 5632->5621 5633 403baa 5634 403bb5 5633->5634 5635 403bb9 5634->5635 5636 403bbc GlobalAlloc 5634->5636 5636->5635 4282 70142a7f 4283 70142acf 4282->4283 4284 70142a8f VirtualProtect 4282->4284 4284->4283 4285 40352d SetErrorMode GetVersionExW 4286 4035b7 4285->4286 4287 40357f GetVersionExW 4285->4287 4288 403610 4286->4288 4289 40690a 5 API calls 4286->4289 4287->4286 4290 40689a 3 API calls 4288->4290 4289->4288 4291 403626 lstrlenA 4290->4291 4291->4288 4292 403636 4291->4292 4293 40690a 5 API calls 4292->4293 4294 40363d 4293->4294 4295 40690a 5 API calls 4294->4295 4296 403644 4295->4296 4297 40690a 5 API calls 4296->4297 4298 403650 #17 OleInitialize SHGetFileInfoW 4297->4298 4376 40653d lstrcpynW 4298->4376 4301 40369d GetCommandLineW 4377 40653d lstrcpynW 4301->4377 4303 4036af 4304 405e39 CharNextW 4303->4304 4305 4036d5 CharNextW 4304->4305 4314 4036e6 4305->4314 4306 4037e4 4307 4037f8 GetTempPathW 4306->4307 4378 4034fc 4307->4378 4309 403810 4311 403814 GetWindowsDirectoryW lstrcatW 4309->4311 4312 40386a DeleteFileW 4309->4312 4310 405e39 CharNextW 4310->4314 4315 4034fc 12 API calls 4311->4315 4388 40307d GetTickCount GetModuleFileNameW 4312->4388 4314->4306 4314->4310 4318 4037e6 4314->4318 4316 403830 4315->4316 4316->4312 4317 403834 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4316->4317 4323 4034fc 12 API calls 4317->4323 4473 40653d lstrcpynW 4318->4473 4319 40387d 4320 403932 4319->4320 4324 405e39 CharNextW 4319->4324 4328 403941 4319->4328 4416 403bec 4320->4416 4327 403862 4323->4327 4341 40389f 4324->4341 4327->4312 4327->4328 4478 403b12 4328->4478 4329 403a69 4485 405b9d 4329->4485 4330 403a7e 4331 403a86 GetCurrentProcess OpenProcessToken 4330->4331 4332 403afc ExitProcess 4330->4332 4334 403acc 4331->4334 4335 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 4331->4335 4340 40690a 5 API calls 4334->4340 4335->4334 4337 403908 4343 405f14 18 API calls 4337->4343 4338 403949 4342 405b08 5 API calls 4338->4342 4344 403ad3 4340->4344 4341->4337 4341->4338 4345 40394e lstrcatW 4342->4345 4346 403914 4343->4346 4347 403ae8 ExitWindowsEx 4344->4347 4351 403af5 4344->4351 4348 40396a lstrcatW lstrcmpiW 4345->4348 4349 40395f lstrcatW 4345->4349 4346->4328 4474 40653d lstrcpynW 4346->4474 4347->4332 4347->4351 4348->4328 4352 40398a 4348->4352 4349->4348 4489 40140b 4351->4489 4355 403996 4352->4355 4356 40398f 4352->4356 4353 403927 4475 40653d lstrcpynW 4353->4475 4357 405aeb 2 API calls 4355->4357 4359 405a6e 4 API calls 4356->4359 4361 40399b SetCurrentDirectoryW 4357->4361 4360 403994 4359->4360 4360->4361 4362 4039b8 4361->4362 4363 4039ad 4361->4363 4477 40653d lstrcpynW 4362->4477 4476 40653d lstrcpynW 4363->4476 4366 40657a 17 API calls 4367 4039fa DeleteFileW 4366->4367 4368 403a06 CopyFileW 4367->4368 4373 4039c5 4367->4373 4368->4373 4369 403a50 4370 4062fd 36 API calls 4369->4370 4370->4328 4371 4062fd 36 API calls 4371->4373 4372 40657a 17 API calls 4372->4373 4373->4366 4373->4369 4373->4371 4373->4372 4374 405b20 2 API calls 4373->4374 4375 403a3a CloseHandle 4373->4375 4374->4373 4375->4373 4376->4301 4377->4303 4379 4067c4 5 API calls 4378->4379 4381 403508 4379->4381 4380 403512 4380->4309 4381->4380 4382 405e0c 3 API calls 4381->4382 4383 40351a 4382->4383 4384 405aeb 2 API calls 4383->4384 4385 403520 4384->4385 4492 40605c 4385->4492 4496 40602d GetFileAttributesW CreateFileW 4388->4496 4390 4030bd 4408 4030cd 4390->4408 4497 40653d lstrcpynW 4390->4497 4392 4030e3 4393 405e58 2 API calls 4392->4393 4394 4030e9 4393->4394 4498 40653d lstrcpynW 4394->4498 4396 4030f4 GetFileSize 4397 4031ee 4396->4397 4415 40310b 4396->4415 4499 403019 4397->4499 4399 4031f7 4401 403227 GlobalAlloc 4399->4401 4399->4408 4511 4034e5 SetFilePointer 4399->4511 4400 4034cf ReadFile 4400->4415 4510 4034e5 SetFilePointer 4401->4510 4403 40325a 4405 403019 6 API calls 4403->4405 4405->4408 4406 403210 4409 4034cf ReadFile 4406->4409 4407 403242 4410 4032b4 31 API calls 4407->4410 4408->4319 4411 40321b 4409->4411 4413 40324e 4410->4413 4411->4401 4411->4408 4412 403019 6 API calls 4412->4415 4413->4408 4413->4413 4414 40328b SetFilePointer 4413->4414 4414->4408 4415->4397 4415->4400 4415->4403 4415->4408 4415->4412 4417 40690a 5 API calls 4416->4417 4418 403c00 4417->4418 4419 403c06 4418->4419 4420 403c18 4418->4420 4520 406484 wsprintfW 4419->4520 4421 40640b 3 API calls 4420->4421 4422 403c48 4421->4422 4423 403c67 lstrcatW 4422->4423 4425 40640b 3 API calls 4422->4425 4426 403c16 4423->4426 4425->4423 4512 403ec2 4426->4512 4429 405f14 18 API calls 4430 403c99 4429->4430 4431 403d2d 4430->4431 4433 40640b 3 API calls 4430->4433 4432 405f14 18 API calls 4431->4432 4435 403d33 4432->4435 4439 403ccb 4433->4439 4434 403d43 LoadImageW 4437 403de9 4434->4437 4438 403d6a RegisterClassW 4434->4438 4435->4434 4436 40657a 17 API calls 4435->4436 4436->4434 4441 40140b 2 API calls 4437->4441 4440 403da0 SystemParametersInfoW CreateWindowExW 4438->4440 4472 403df3 4438->4472 4439->4431 4442 403cec lstrlenW 4439->4442 4443 405e39 CharNextW 4439->4443 4440->4437 4446 403def 4441->4446 4444 403d20 4442->4444 4445 403cfa lstrcmpiW 4442->4445 4447 403ce9 4443->4447 4449 405e0c 3 API calls 4444->4449 4445->4444 4448 403d0a GetFileAttributesW 4445->4448 4451 403ec2 18 API calls 4446->4451 4446->4472 4447->4442 4450 403d16 4448->4450 4452 403d26 4449->4452 4450->4444 4453 405e58 2 API calls 4450->4453 4454 403e00 4451->4454 4521 40653d lstrcpynW 4452->4521 4453->4444 4456 403e0c ShowWindow 4454->4456 4457 403e8f 4454->4457 4459 40689a 3 API calls 4456->4459 4522 405672 OleInitialize 4457->4522 4461 403e24 4459->4461 4460 403e95 4462 403eb1 4460->4462 4463 403e99 4460->4463 4464 403e32 GetClassInfoW 4461->4464 4468 40689a 3 API calls 4461->4468 4467 40140b 2 API calls 4462->4467 4470 40140b 2 API calls 4463->4470 4463->4472 4465 403e46 GetClassInfoW RegisterClassW 4464->4465 4466 403e5c DialogBoxParamW 4464->4466 4465->4466 4469 40140b 2 API calls 4466->4469 4467->4472 4468->4464 4471 403e84 4469->4471 4470->4472 4471->4472 4472->4328 4473->4307 4474->4353 4475->4320 4476->4362 4477->4373 4479 403b2a 4478->4479 4480 403b1c CloseHandle 4478->4480 4540 403b57 4479->4540 4480->4479 4483 405c49 67 API calls 4484 403a5e OleUninitialize 4483->4484 4484->4329 4484->4330 4486 405bb2 4485->4486 4487 405bc6 MessageBoxIndirectW 4486->4487 4488 403a76 ExitProcess 4486->4488 4487->4488 4490 401389 2 API calls 4489->4490 4491 401420 4490->4491 4491->4332 4493 406069 GetTickCount GetTempFileNameW 4492->4493 4494 40352b 4493->4494 4495 40609f 4493->4495 4494->4309 4495->4493 4495->4494 4496->4390 4497->4392 4498->4396 4500 403022 4499->4500 4501 40303a 4499->4501 4502 403032 4500->4502 4503 40302b DestroyWindow 4500->4503 4504 403042 4501->4504 4505 40304a GetTickCount 4501->4505 4502->4399 4503->4502 4506 406946 2 API calls 4504->4506 4507 403058 CreateDialogParamW ShowWindow 4505->4507 4508 40307b 4505->4508 4509 403048 4506->4509 4507->4508 4508->4399 4509->4399 4510->4407 4511->4406 4513 403ed6 4512->4513 4529 406484 wsprintfW 4513->4529 4515 403f47 4530 403f7b 4515->4530 4517 403c77 4517->4429 4518 403f4c 4518->4517 4519 40657a 17 API calls 4518->4519 4519->4518 4520->4426 4521->4431 4533 4044e5 4522->4533 4524 405695 4528 4056bc 4524->4528 4536 401389 4524->4536 4525 4044e5 SendMessageW 4526 4056ce OleUninitialize 4525->4526 4526->4460 4528->4525 4529->4515 4531 40657a 17 API calls 4530->4531 4532 403f89 SetWindowTextW 4531->4532 4532->4518 4534 4044fd 4533->4534 4535 4044ee SendMessageW 4533->4535 4534->4524 4535->4534 4538 401390 4536->4538 4537 4013fe 4537->4524 4538->4537 4539 4013cb MulDiv SendMessageW 4538->4539 4539->4538 4541 403b65 4540->4541 4542 403b2f 4541->4542 4543 403b6a FreeLibrary GlobalFree 4541->4543 4542->4483 4543->4542 4543->4543 5637 70141979 5639 7014199c 5637->5639 5638 701419e3 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5641 70141312 2 API calls 5638->5641 5639->5638 5640 701419d1 GlobalFree 5639->5640 5640->5638 5642 70141b6e GlobalFree GlobalFree 5641->5642 5643 401a30 5644 402da6 17 API calls 5643->5644 5645 401a39 ExpandEnvironmentStringsW 5644->5645 5646 401a4d 5645->5646 5648 401a60 5645->5648 5647 401a52 lstrcmpW 5646->5647 5646->5648 5647->5648 5654 4023b2 5655 4023ba 5654->5655 5658 4023c0 5654->5658 5656 402da6 17 API calls 5655->5656 5656->5658 5657 4023dc 5661 402da6 17 API calls 5657->5661 5659 402da6 17 API calls 5658->5659 5662 4023ce 5658->5662 5659->5662 5660 402da6 17 API calls 5660->5657 5663 4023e5 WritePrivateProfileStringW 5661->5663 5662->5657 5662->5660 4594 402434 4595 402467 4594->4595 4596 40243c 4594->4596 4598 402da6 17 API calls 4595->4598 4597 402de6 17 API calls 4596->4597 4601 402443 4597->4601 4599 40246e 4598->4599 4605 402e64 4599->4605 4602 40247b 4601->4602 4603 402da6 17 API calls 4601->4603 4604 402454 RegDeleteValueW RegCloseKey 4603->4604 4604->4602 4606 402e78 4605->4606 4607 402e71 4605->4607 4606->4607 4609 402ea9 4606->4609 4607->4602 4610 4063aa RegOpenKeyExW 4609->4610 4611 402ed7 4610->4611 4612 402ee1 4611->4612 4613 402f8c 4611->4613 4614 402ee7 RegEnumValueW 4612->4614 4623 402f0a 4612->4623 4613->4607 4615 402f71 RegCloseKey 4614->4615 4614->4623 4615->4613 4616 402f46 RegEnumKeyW 4617 402f4f RegCloseKey 4616->4617 4616->4623 4618 40690a 5 API calls 4617->4618 4619 402f5f 4618->4619 4621 402f81 4619->4621 4622 402f63 RegDeleteKeyW 4619->4622 4620 402ea9 6 API calls 4620->4623 4621->4613 4622->4613 4623->4615 4623->4616 4623->4617 4623->4620 5664 701410e1 5670 70141111 5664->5670 5665 701412b0 GlobalFree 5666 701411d7 GlobalAlloc 5666->5670 5667 70141240 GlobalFree 5667->5670 5668 7014135a 2 API calls 5668->5670 5669 701412ab 5669->5665 5670->5665 5670->5666 5670->5667 5670->5668 5670->5669 5671 70141312 2 API calls 5670->5671 5672 7014129a GlobalFree 5670->5672 5673 70141381 lstrcpyW 5670->5673 5674 7014116b GlobalAlloc 5670->5674 5671->5670 5672->5670 5673->5670 5674->5670 5675 401735 5676 402da6 17 API calls 5675->5676 5677 40173c SearchPathW 5676->5677 5678 401757 5677->5678 5679 4014b8 5680 4014be 5679->5680 5681 401389 2 API calls 5680->5681 5682 4014c6 5681->5682 5683 401d38 5684 402d84 17 API calls 5683->5684 5685 401d3f 5684->5685 5686 402d84 17 API calls 5685->5686 5687 401d4b GetDlgItem 5686->5687 5688 402638 5687->5688 5689 701423e9 5690 70142453 5689->5690 5691 7014245e GlobalAlloc 5690->5691 5692 7014247d 5690->5692 5691->5690 5693 40263e 5694 402652 5693->5694 5695 40266d 5693->5695 5696 402d84 17 API calls 5694->5696 5697 402672 5695->5697 5698 40269d 5695->5698 5704 402659 5696->5704 5699 402da6 17 API calls 5697->5699 5700 402da6 17 API calls 5698->5700 5701 402679 5699->5701 5702 4026a4 lstrlenW 5700->5702 5710 40655f WideCharToMultiByte 5701->5710 5702->5704 5706 4026e7 5704->5706 5708 40610e 5 API calls 5704->5708 5709 4026d1 5704->5709 5705 40268d lstrlenA 5705->5704 5707 4060df WriteFile 5707->5706 5708->5709 5709->5706 5709->5707 5710->5705

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 0040352D Relevance: 88.0, APIs: 33, Strings: 17, Instructions: 450stringfilecomCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 40352d-40357d SetErrorMode GetVersionExW 1 4035b7-4035be 0->1 2 40357f-4035b3 GetVersionExW 0->2 3 4035c0 1->3 4 4035c8-403608 1->4 2->1 3->4 5 40360a-403612 call 40690a 4->5 6 40361b 4->6 5->6 11 403614 5->11 8 403620-403634 call 40689a lstrlenA 6->8 13 403636-403652 call 40690a * 3 8->13 11->6 20 403663-4036c5 #17 OleInitialize SHGetFileInfoW call 40653d GetCommandLineW call 40653d 13->20 21 403654-40365a 13->21 28 4036c7-4036c9 20->28 29 4036ce-4036e1 call 405e39 CharNextW 20->29 21->20 25 40365c 21->25 25->20 28->29 32 4037d8-4037de 29->32 33 4037e4 32->33 34 4036e6-4036ec 32->34 35 4037f8-403812 GetTempPathW call 4034fc 33->35 36 4036f5-4036fb 34->36 37 4036ee-4036f3 34->37 47 403814-403832 GetWindowsDirectoryW lstrcatW call 4034fc 35->47 48 40386a-403882 DeleteFileW call 40307d 35->48 38 403702-403706 36->38 39 4036fd-403701 36->39 37->36 37->37 41 4037c6-4037d4 call 405e39 38->41 42 40370c-403712 38->42 39->38 41->32 56 4037d6-4037d7 41->56 45 403714-40371b 42->45 46 40372c-403765 42->46 51 403722 45->51 52 40371d-403720 45->52 53 403781-4037bb 46->53 54 403767-40376c 46->54 47->48 66 403834-403864 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034fc 47->66 62 403888-40388e 48->62 63 403a59-403a67 call 403b12 OleUninitialize 48->63 51->46 52->46 52->51 60 4037c3-4037c5 53->60 61 4037bd-4037c1 53->61 54->53 58 40376e-403776 54->58 56->32 64 403778-40377b 58->64 65 40377d 58->65 60->41 61->60 67 4037e6-4037f3 call 40653d 61->67 68 403894-4038a7 call 405e39 62->68 69 403935-40393c call 403bec 62->69 79 403a69-403a78 call 405b9d ExitProcess 63->79 80 403a7e-403a84 63->80 64->53 64->65 65->53 66->48 66->63 67->35 83 4038f9-403906 68->83 84 4038a9-4038de 68->84 78 403941-403944 69->78 78->63 81 403a86-403a9b GetCurrentProcess OpenProcessToken 80->81 82 403afc-403b04 80->82 86 403acc-403ada call 40690a 81->86 87 403a9d-403ac6 LookupPrivilegeValueW AdjustTokenPrivileges 81->87 89 403b06 82->89 90 403b09-403b0c ExitProcess 82->90 91 403908-403916 call 405f14 83->91 92 403949-40395d call 405b08 lstrcatW 83->92 88 4038e0-4038e4 84->88 104 403ae8-403af3 ExitWindowsEx 86->104 105 403adc-403ae6 86->105 87->86 95 4038e6-4038eb 88->95 96 4038ed-4038f5 88->96 89->90 91->63 103 40391c-403932 call 40653d * 2 91->103 106 40396a-403984 lstrcatW lstrcmpiW 92->106 107 40395f-403965 lstrcatW 92->107 95->96 100 4038f7 95->100 96->88 96->100 100->83 103->69 104->82 109 403af5-403af7 call 40140b 104->109 105->104 105->109 110 403a57 106->110 111 40398a-40398d 106->111 107->106 109->82 110->63 115 403996 call 405aeb 111->115 116 40398f-403994 call 405a6e 111->116 121 40399b-4039ab SetCurrentDirectoryW 115->121 116->121 123 4039b8-4039e4 call 40653d 121->123 124 4039ad-4039b3 call 40653d 121->124 128 4039e9-403a04 call 40657a DeleteFileW 123->128 124->123 131 403a44-403a4e 128->131 132 403a06-403a16 CopyFileW 128->132 131->128 133 403a50-403a52 call 4062fd 131->133 132->131 134 403a18-403a38 call 4062fd call 40657a call 405b20 132->134 133->110 134->131 142 403a3a-403a41 CloseHandle 134->142 142->131
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 00403550
                                                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 00403579
                                                                                                                                                                                    • GetVersionExW.KERNEL32(0000011C), ref: 00403590
                                                                                                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
                                                                                                                                                                                    • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0040366A
                                                                                                                                                                                    • SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
                                                                                                                                                                                    • GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
                                                                                                                                                                                    • CharNextW.USER32(00000000,"C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000020,"C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000), ref: 004036D6
                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,?), ref: 00403809
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 0040381A
                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 00403826
                                                                                                                                                                                    • GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 0040383A
                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403842
                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403853
                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 0040385B
                                                                                                                                                                                    • DeleteFileW.KERNELBASE(1033), ref: 0040386F
                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,?), ref: 00403956
                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,0040A26C,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,?), ref: 00403965
                                                                                                                                                                                      • Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00405AF1
                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,?), ref: 00403970
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true,00000000,?), ref: 0040397C
                                                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 0040399C
                                                                                                                                                                                    • DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
                                                                                                                                                                                    • CopyFileW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,0042AA28,00000001), ref: 00403A0E
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
                                                                                                                                                                                    • OleUninitialize.OLE32(?), ref: 00403A5E
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403A78
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
                                                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
                                                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
                                                                                                                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403B0C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                                                                                                                                    • String ID: "C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe" /S /skipDowngrade=true$.tmp$1033$C:\Program Files\Wildix\WIService$C:\Program Files\Wildix\WIService$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                    • API String ID: 3859024572-3279976073
                                                                                                                                                                                    • Opcode ID: e805ab00ed8521cef9d67492f65783a092b2e0cefe37e968f3c93af94c7db321
                                                                                                                                                                                    • Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
                                                                                                                                                                                    • Opcode Fuzzy Hash: e805ab00ed8521cef9d67492f65783a092b2e0cefe37e968f3c93af94c7db321
                                                                                                                                                                                    • Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D
                                                                                                                                                                                    Function 00405C49 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 148filestringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 284 405c49-405c6f call 405f14 287 405c71-405c83 DeleteFileW 284->287 288 405c88-405c8f 284->288 289 405e05-405e09 287->289 290 405c91-405c93 288->290 291 405ca2-405cb2 call 40653d 288->291 292 405db3-405db8 290->292 293 405c99-405c9c 290->293 297 405cc1-405cc2 call 405e58 291->297 298 405cb4-405cbf lstrcatW 291->298 292->289 296 405dba-405dbd 292->296 293->291 293->292 299 405dc7-405dcf call 406873 296->299 300 405dbf-405dc5 296->300 301 405cc7-405ccb 297->301 298->301 299->289 308 405dd1-405de5 call 405e0c call 405c01 299->308 300->289 304 405cd7-405cdd lstrcatW 301->304 305 405ccd-405cd5 301->305 307 405ce2-405cfe lstrlenW FindFirstFileW 304->307 305->304 305->307 309 405d04-405d0c 307->309 310 405da8-405dac 307->310 324 405de7-405dea 308->324 325 405dfd-405e00 call 40559f 308->325 313 405d2c-405d40 call 40653d 309->313 314 405d0e-405d16 309->314 310->292 312 405dae 310->312 312->292 326 405d42-405d4a 313->326 327 405d57-405d62 call 405c01 313->327 316 405d18-405d20 314->316 317 405d8b-405d9b FindNextFileW 314->317 316->313 321 405d22-405d2a 316->321 317->309 320 405da1-405da2 FindClose 317->320 320->310 321->313 321->317 324->300 331 405dec-405dfb call 40559f call 4062fd 324->331 325->289 326->317 328 405d4c-405d55 call 405c49 326->328 337 405d83-405d86 call 40559f 327->337 338 405d64-405d67 327->338 328->317 331->289 337->317 340 405d69-405d79 call 40559f call 4062fd 338->340 341 405d7b-405d81 338->341 340->317 341->317
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405C72
                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix\Wildix Outlook Integration\*.*,\*.*,C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix\Wildix Outlook Integration\*.*,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405CBA
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014,?,C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix\Wildix Outlook Integration\*.*,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405CDD
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix\Wildix Outlook Integration\*.*,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405CE3
                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix\Wildix Outlook Integration\*.*,?,?,?,0040A014,?,C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix\Wildix Outlook Integration\*.*,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405CF3
                                                                                                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405DA2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                    • String ID: .$.$C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Wildix\Wildix Outlook Integration\*.*$C:\Users\user~1\AppData\Local\Temp\$\*.*
                                                                                                                                                                                    • API String ID: 2035342205-2309173449
                                                                                                                                                                                    • Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                                                                                                                                                                    • Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE
                                                                                                                                                                                    Function 70141BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 701412BB: GlobalAlloc.KERNELBASE(00000040,?,701412DB,?,7014137F,00000019,701411CA,-000000A0), ref: 701412C5
                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 70141D2D
                                                                                                                                                                                    • lstrcpyW.KERNEL32(00000008,?), ref: 70141D75
                                                                                                                                                                                    • lstrcpyW.KERNEL32(00000808,?), ref: 70141D7F
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 70141D92
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 70141E74
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 70141E79
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 70141E7E
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 70142068
                                                                                                                                                                                    • lstrcpyW.KERNEL32(?,?), ref: 70142222
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000008), ref: 701422A1
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(00000008), ref: 701422B2
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 7014230C
                                                                                                                                                                                    • lstrlenW.KERNEL32(00000808), ref: 70142326
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2541403932.0000000070141000.00000020.00000001.01000000.0000000F.sdmp, Offset: 70140000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2541344551.0000000070140000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541467297.0000000070144000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541534008.0000000070146000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_70140000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 245916457-0
                                                                                                                                                                                    • Opcode ID: 19c6b513c5f5ce21414a7a43172c8683558ec7972564a39dd3b92f7e6a688d02
                                                                                                                                                                                    • Instruction ID: 21fb95db6c6e3d9589b6fbd520ffca3299e3b58a5378d9bca6225e4a6a30409a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 19c6b513c5f5ce21414a7a43172c8683558ec7972564a39dd3b92f7e6a688d02
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3F22BC71D00209DECB128FA4C9846EEB7F4FB08315F72656EF166E36A0E7B45A85CB50
                                                                                                                                                                                    Function 00406873 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(771B3420,004302B8,C:\,00405F5D,C:\,C:\,00000000,C:\,C:\,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C69,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 0040687E
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 0040688A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                    • API String ID: 2295610775-3404278061
                                                                                                                                                                                    • Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                                                                                                                                                                    • Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                                                                                                                                                                    • Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD
                                                                                                                                                                                    Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1974802433-0
                                                                                                                                                                                    • Opcode ID: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
                                                                                                                                                                                    • Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29
                                                                                                                                                                                    Function 00403BEC Relevance: 44.0, APIs: 13, Strings: 12, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 143 403bec-403c04 call 40690a 146 403c06-403c16 call 406484 143->146 147 403c18-403c4f call 40640b 143->147 155 403c72-403c9b call 403ec2 call 405f14 146->155 151 403c51-403c62 call 40640b 147->151 152 403c67-403c6d lstrcatW 147->152 151->152 152->155 161 403ca1-403ca6 155->161 162 403d2d-403d35 call 405f14 155->162 161->162 163 403cac-403cc6 call 40640b 161->163 168 403d43-403d68 LoadImageW 162->168 169 403d37-403d3e call 40657a 162->169 167 403ccb-403cd4 163->167 167->162 173 403cd6-403cda 167->173 171 403de9-403df1 call 40140b 168->171 172 403d6a-403d9a RegisterClassW 168->172 169->168 186 403df3-403df6 171->186 187 403dfb-403e06 call 403ec2 171->187 174 403da0-403de4 SystemParametersInfoW CreateWindowExW 172->174 175 403eb8 172->175 177 403cec-403cf8 lstrlenW 173->177 178 403cdc-403ce9 call 405e39 173->178 174->171 180 403eba-403ec1 175->180 181 403d20-403d28 call 405e0c call 40653d 177->181 182 403cfa-403d08 lstrcmpiW 177->182 178->177 181->162 182->181 185 403d0a-403d14 GetFileAttributesW 182->185 189 403d16-403d18 185->189 190 403d1a-403d1b call 405e58 185->190 186->180 196 403e0c-403e26 ShowWindow call 40689a 187->196 197 403e8f-403e97 call 405672 187->197 189->181 189->190 190->181 204 403e32-403e44 GetClassInfoW 196->204 205 403e28-403e2d call 40689a 196->205 202 403eb1-403eb3 call 40140b 197->202 203 403e99-403e9f 197->203 202->175 203->186 208 403ea5-403eac call 40140b 203->208 206 403e46-403e56 GetClassInfoW RegisterClassW 204->206 207 403e5c-403e8d DialogBoxParamW call 40140b call 403b3c 204->207 205->204 206->207 207->180 208->186
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                                                                                                                                                                      • Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                                                                                                                                                                    • lstrcatW.KERNEL32(1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,00000000,?), ref: 00403C6D
                                                                                                                                                                                    • lstrlenW.KERNEL32("C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",?,?,?,"C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",00000000,C:\Program Files\Wildix\WIService,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,771B3420), ref: 00403CED
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,.exe,"C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",?,?,?,"C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",00000000,C:\Program Files\Wildix\WIService,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32("C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",?,00000000,?), ref: 00403D0B
                                                                                                                                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files\Wildix\WIService), ref: 00403D54
                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                    • RegisterClassW.USER32(00433EA0), ref: 00403D91
                                                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
                                                                                                                                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
                                                                                                                                                                                    • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
                                                                                                                                                                                    • RegisterClassW.USER32(00433EA0), ref: 00403E56
                                                                                                                                                                                    • DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: "C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk"$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files\Wildix\WIService$C:\Users\user~1\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                    • API String ID: 1975747703-826386383
                                                                                                                                                                                    • Opcode ID: cf3279fe7f0dcda04763d777311536b3ad8b8334462163e510e5c591121a5e62
                                                                                                                                                                                    • Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
                                                                                                                                                                                    • Opcode Fuzzy Hash: cf3279fe7f0dcda04763d777311536b3ad8b8334462163e510e5c591121a5e62
                                                                                                                                                                                    • Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D
                                                                                                                                                                                    Function 0040307D Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181memoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 217 40307d-4030cb GetTickCount GetModuleFileNameW call 40602d 220 4030d7-403105 call 40653d call 405e58 call 40653d GetFileSize 217->220 221 4030cd-4030d2 217->221 229 4031f0-4031fe call 403019 220->229 230 40310b 220->230 222 4032ad-4032b1 221->222 236 403200-403203 229->236 237 403253-403258 229->237 232 403110-403127 230->232 234 403129 232->234 235 40312b-403134 call 4034cf 232->235 234->235 243 40325a-403262 call 403019 235->243 244 40313a-403141 235->244 239 403205-40321d call 4034e5 call 4034cf 236->239 240 403227-403251 GlobalAlloc call 4034e5 call 4032b4 236->240 237->222 239->237 265 40321f-403225 239->265 240->237 264 403264-403275 240->264 243->237 248 403143-403157 call 405fe8 244->248 249 4031bd-4031c1 244->249 254 4031cb-4031d1 248->254 268 403159-403160 248->268 253 4031c3-4031ca call 403019 249->253 249->254 253->254 259 4031e0-4031e8 254->259 260 4031d3-4031dd call 4069f7 254->260 259->232 263 4031ee 259->263 260->259 263->229 269 403277 264->269 270 40327d-403282 264->270 265->237 265->240 268->254 272 403162-403169 268->272 269->270 274 403283-403289 270->274 272->254 273 40316b-403172 272->273 273->254 275 403174-40317b 273->275 274->274 276 40328b-4032a6 SetFilePointer call 405fe8 274->276 275->254 277 40317d-40319d 275->277 280 4032ab 276->280 277->237 279 4031a3-4031a7 277->279 281 4031a9-4031ad 279->281 282 4031af-4031b7 279->282 280->222 281->263 281->282 282->254 283 4031b9-4031bb 282->283 283->254
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040308E
                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA
                                                                                                                                                                                      • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                      • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
                                                                                                                                                                                    • API String ID: 2803837635-2008522623
                                                                                                                                                                                    • Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                                                                                                                                                                    • Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
                                                                                                                                                                                    • Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D
                                                                                                                                                                                    Function 0040657A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 569 40657a-406585 570 406587-406596 569->570 571 406598-4065ae 569->571 570->571 572 4065b0-4065bd 571->572 573 4065c6-4065cf 571->573 572->573 574 4065bf-4065c2 572->574 575 4065d5 573->575 576 4067aa-4067b5 573->576 574->573 577 4065da-4065e7 575->577 578 4067c0-4067c1 576->578 579 4067b7-4067bb call 40653d 576->579 577->576 580 4065ed-4065f6 577->580 579->578 582 406788 580->582 583 4065fc-406639 580->583 584 406796-406799 582->584 585 40678a-406794 582->585 586 40672c-406731 583->586 587 40663f-406646 583->587 588 40679b-4067a4 584->588 585->588 589 406733-406739 586->589 590 406764-406769 586->590 591 406648-40664a 587->591 592 40664b-40664d 587->592 588->576 593 4065d7 588->593 594 406749-406755 call 40653d 589->594 595 40673b-406747 call 406484 589->595 598 406778-406786 lstrlenW 590->598 599 40676b-406773 call 40657a 590->599 591->592 596 40668a-40668d 592->596 597 40664f-40666d call 40640b 592->597 593->577 610 40675a-406760 594->610 595->610 600 40669d-4066a0 596->600 601 40668f-40669b GetSystemDirectoryW 596->601 611 406672-406676 597->611 598->588 599->598 607 4066a2-4066b0 GetWindowsDirectoryW 600->607 608 406709-40670b 600->608 606 40670d-406711 601->606 614 406713-406717 606->614 615 406724-40672a call 4067c4 606->615 607->608 608->606 613 4066b2-4066ba 608->613 610->598 612 406762 610->612 611->614 616 40667c-406685 call 40657a 611->616 612->615 620 4066d1-4066e7 SHGetSpecialFolderLocation 613->620 621 4066bc-4066c5 613->621 614->615 617 406719-40671f lstrcatW 614->617 615->598 616->606 617->615 624 406705 620->624 625 4066e9-406703 SHGetPathFromIDListW CoTaskMemFree 620->625 626 4066cd-4066cf 621->626 624->608 625->606 625->624 626->606 626->620
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32("C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",00000400), ref: 00406695
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32("C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",00000400,00000000,0042C248,?,004055D6,0042C248,00000000,00000000,?,771B23A0), ref: 004066A8
                                                                                                                                                                                    • lstrcatW.KERNEL32("C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                    • lstrlenW.KERNEL32("C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Directory$SystemWindowslstrcatlstrlen
                                                                                                                                                                                    • String ID: "C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk"$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                    • API String ID: 4260037668-495539868
                                                                                                                                                                                    • Opcode ID: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
                                                                                                                                                                                    • Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D
                                                                                                                                                                                    Function 004032B4 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 627 4032b4-4032cb 628 4032d4-4032dd 627->628 629 4032cd 627->629 630 4032e6-4032eb 628->630 631 4032df 628->631 629->628 632 4032fb-403308 call 4034cf 630->632 633 4032ed-4032f6 call 4034e5 630->633 631->630 637 4034bd 632->637 638 40330e-403312 632->638 633->632 639 4034bf-4034c0 637->639 640 403468-40346a 638->640 641 403318-403361 GetTickCount 638->641 644 4034c8-4034cc 639->644 642 4034aa-4034ad 640->642 643 40346c-40346f 640->643 645 4034c5 641->645 646 403367-40336f 641->646 647 4034b2-4034bb call 4034cf 642->647 648 4034af 642->648 643->645 649 403471 643->649 645->644 650 403371 646->650 651 403374-403382 call 4034cf 646->651 647->637 659 4034c2 647->659 648->647 653 403474-40347a 649->653 650->651 651->637 661 403388-403391 651->661 656 40347c 653->656 657 40347e-40348c call 4034cf 653->657 656->657 657->637 664 40348e-40349a call 4060df 657->664 659->645 663 403397-4033b7 call 406a65 661->663 668 403460-403462 663->668 669 4033bd-4033d0 GetTickCount 663->669 673 403464-403466 664->673 674 40349c-4034a6 664->674 668->639 671 4033d2-4033da 669->671 672 40341b-40341d 669->672 676 4033e2-403418 MulDiv wsprintfW call 40559f 671->676 677 4033dc-4033e0 671->677 678 403454-403458 672->678 679 40341f-403423 672->679 673->639 674->653 675 4034a8 674->675 675->645 676->672 677->672 677->676 678->646 680 40345e 678->680 682 403425-40342c call 4060df 679->682 683 40343a-403445 679->683 680->645 687 403431-403433 682->687 686 403448-40344c 683->686 686->663 688 403452 686->688 687->673 689 403435-403438 687->689 688->645 689->686
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountTick$wsprintf
                                                                                                                                                                                    • String ID: *B$ A$ A$... %d%%$}8@
                                                                                                                                                                                    • API String ID: 551687249-3029848762
                                                                                                                                                                                    • Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                                                                                                                                                                    • Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
                                                                                                                                                                                    • Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                                                                                                                                                                    • Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9
                                                                                                                                                                                    Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 690 40176f-401794 call 402da6 call 405e83 695 401796-40179c call 40653d 690->695 696 40179e-4017b0 call 40653d call 405e0c lstrcatW 690->696 701 4017b5-4017b6 call 4067c4 695->701 696->701 705 4017bb-4017bf 701->705 706 4017c1-4017cb call 406873 705->706 707 4017f2-4017f5 705->707 715 4017dd-4017ef 706->715 716 4017cd-4017db CompareFileTime 706->716 709 4017f7-4017f8 call 406008 707->709 710 4017fd-401819 call 40602d 707->710 709->710 717 40181b-40181e 710->717 718 40188d-4018b6 call 40559f call 4032b4 710->718 715->707 716->715 719 401820-40185e call 40653d * 2 call 40657a call 40653d call 405b9d 717->719 720 40186f-401879 call 40559f 717->720 732 4018b8-4018bc 718->732 733 4018be-4018ca SetFileTime 718->733 719->705 752 401864-401865 719->752 730 401882-401888 720->730 734 402c33 730->734 732->733 736 4018d0-4018db CloseHandle 732->736 733->736 740 402c35-402c39 734->740 737 4018e1-4018e4 736->737 738 402c2a-402c2d 736->738 741 4018e6-4018f7 call 40657a lstrcatW 737->741 742 4018f9-4018fc call 40657a 737->742 738->734 748 401901-402398 741->748 742->748 753 40239d-4023a2 748->753 754 402398 call 405b9d 748->754 752->730 755 401867-401868 752->755 753->740 754->753 755->720
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000,00000000,"C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",C:\Program Files\Wildix\WIService,?,?,00000031), ref: 004017B0
                                                                                                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,"C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk","C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",00000000,00000000,"C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",C:\Program Files\Wildix\WIService,?,?,00000031), ref: 004017D5
                                                                                                                                                                                      • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,771B23A0), ref: 004055FA
                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                    • String ID: "C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk"$C:\Program Files\Wildix\WIService$C:\Program Files\Wildix\WIService\proxyex.lnk$C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                    • API String ID: 1941528284-52577249
                                                                                                                                                                                    • Opcode ID: 4def49e1654eb24e31e7e0ccc8337252fe7285c88cb32d22f2bbeb2144da9b53
                                                                                                                                                                                    • Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4def49e1654eb24e31e7e0ccc8337252fe7285c88cb32d22f2bbeb2144da9b53
                                                                                                                                                                                    • Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D
                                                                                                                                                                                    Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 756 40689a-4068ba GetSystemDirectoryW 757 4068bc 756->757 758 4068be-4068c0 756->758 757->758 759 4068d1-4068d3 758->759 760 4068c2-4068cb 758->760 762 4068d4-406907 wsprintfW LoadLibraryExW 759->762 760->759 761 4068cd-4068cf 760->761 761->762
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                                                                                                                                                                    • wsprintfW.USER32 ref: 004068EC
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                    • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                    • API String ID: 2200240437-1946221925
                                                                                                                                                                                    • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                    • Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                    • Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8
                                                                                                                                                                                    Function 00405A6E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 763 405a6e-405ab9 CreateDirectoryW 764 405abb-405abd 763->764 765 405abf-405acc GetLastError 763->765 766 405ae6-405ae8 764->766 765->766 767 405ace-405ae2 SetFileSecurityW 765->767 767->764 768 405ae4 GetLastError 767->768 768->766
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405AB1
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AC5
                                                                                                                                                                                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AE4
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405A94
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 3449924974-2382934351
                                                                                                                                                                                    • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                    • Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9
                                                                                                                                                                                    Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 769 402ea9-402ed2 call 4063aa 771 402ed7-402edb 769->771 772 402ee1-402ee5 771->772 773 402f8c-402f90 771->773 774 402ee7-402f08 RegEnumValueW 772->774 775 402f0a-402f1d 772->775 774->775 776 402f71-402f7f RegCloseKey 774->776 777 402f46-402f4d RegEnumKeyW 775->777 776->773 778 402f1f-402f21 777->778 779 402f4f-402f61 RegCloseKey call 40690a 777->779 778->776 780 402f23-402f37 call 402ea9 778->780 784 402f81-402f87 779->784 785 402f63-402f6f RegDeleteKeyW 779->785 780->779 787 402f39-402f45 780->787 784->773 785->773 787->777
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                                                                                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseEnum$DeleteValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1354259210-0
                                                                                                                                                                                    • Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                                                                                                                                                                    • Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
                                                                                                                                                                                    • Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68
                                                                                                                                                                                    Function 70141817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 788 70141817-70141856 call 70141bff 792 70141976-70141978 788->792 793 7014185c-70141860 788->793 794 70141862-70141868 call 7014243e 793->794 795 70141869-70141876 call 70142480 793->795 794->795 800 701418a6-701418ad 795->800 801 70141878-7014187d 795->801 802 701418cd-701418d1 800->802 803 701418af-701418cb call 70142655 call 70141654 call 70141312 GlobalFree 800->803 804 7014187f-70141880 801->804 805 70141898-7014189b 801->805 806 701418d3-7014191c call 70141666 call 70142655 802->806 807 7014191e-70141924 call 70142655 802->807 828 70141925-70141929 803->828 810 70141882-70141883 804->810 811 70141888-70141889 call 70142b98 804->811 805->800 808 7014189d-7014189e call 70142e23 805->808 806->828 807->828 822 701418a3 808->822 817 70141885-70141886 810->817 818 70141890-70141896 call 70142810 810->818 819 7014188e 811->819 817->800 817->811 827 701418a5 818->827 819->822 822->827 827->800 832 70141966-7014196d 828->832 833 7014192b-70141939 call 70142618 828->833 832->792 835 7014196f-70141970 GlobalFree 832->835 838 70141951-70141958 833->838 839 7014193b-7014193e 833->839 835->792 838->832 841 7014195a-70141965 call 701415dd 838->841 839->838 840 70141940-70141948 839->840 840->838 842 7014194a-7014194b FreeLibrary 840->842 841->832 842->838
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 70141BFF: GlobalFree.KERNEL32(?), ref: 70141E74
                                                                                                                                                                                      • Part of subcall function 70141BFF: GlobalFree.KERNEL32(?), ref: 70141E79
                                                                                                                                                                                      • Part of subcall function 70141BFF: GlobalFree.KERNEL32(?), ref: 70141E7E
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 701418C5
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 7014194B
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 70141970
                                                                                                                                                                                      • Part of subcall function 7014243E: GlobalAlloc.KERNEL32(00000040,?), ref: 7014246F
                                                                                                                                                                                      • Part of subcall function 70142810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,70141896,00000000), ref: 701428E0
                                                                                                                                                                                      • Part of subcall function 70141666: wsprintfW.USER32 ref: 70141694
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2541403932.0000000070141000.00000020.00000001.01000000.0000000F.sdmp, Offset: 70140000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2541344551.0000000070140000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541467297.0000000070144000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541534008.0000000070146000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_70140000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$Alloc$Librarywsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3962662361-3916222277
                                                                                                                                                                                    • Opcode ID: 11eca8b25fb26bf1595546eade159e084254cbfe9857880530e6097022c6b7b5
                                                                                                                                                                                    • Instruction ID: 781eef460ca0e83f9017f428c11921f16c4cd5eb5f9f65223fc67b2c954073ee
                                                                                                                                                                                    • Opcode Fuzzy Hash: 11eca8b25fb26bf1595546eade159e084254cbfe9857880530e6097022c6b7b5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5441E2729002029FCB009F20DC85B9D37BCBF05354F366469FD0A9A6B6DBB4D484CB60
                                                                                                                                                                                    Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 845 40248a-4024bb call 402da6 * 2 call 402e36 852 4024c1-4024cb 845->852 853 402c2a-402c39 845->853 854 4024cd-4024da call 402da6 lstrlenW 852->854 855 4024de-4024e1 852->855 854->855 858 4024e3-4024f4 call 402d84 855->858 859 4024f5-4024f8 855->859 858->859 863 402509-40251d RegSetValueExW 859->863 864 4024fa-402504 call 4032b4 859->864 866 402522-402603 RegCloseKey 863->866 867 40251f 863->867 864->863 866->853 867->866
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\Program Files\Wildix\WIService\wiservice.exe,00000023,00000011,00000002), ref: 004024D5
                                                                                                                                                                                    • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Program Files\Wildix\WIService\wiservice.exe,00000000,00000011,00000002), ref: 00402515
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Program Files\Wildix\WIService\wiservice.exe,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseValuelstrlen
                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                    • API String ID: 2655323295-1868976006
                                                                                                                                                                                    • Opcode ID: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
                                                                                                                                                                                    • Instruction ID: a32c4fc66ba480c3aafb49ec1434dbeb720bd0d2787204a1d049ba7b64bbfaa1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B118E71E00119BEEF10AFA5DE49EAEBAB8FF44358F15443AF504F61C1D7B88D40AA58
                                                                                                                                                                                    Function 00405F14 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 870 405f14-405f2f call 40653d call 405eb7 875 405f31-405f33 870->875 876 405f35-405f42 call 4067c4 870->876 877 405f8d-405f8f 875->877 880 405f52-405f56 876->880 881 405f44-405f4a 876->881 883 405f6c-405f75 lstrlenW 880->883 881->875 882 405f4c-405f50 881->882 882->875 882->880 884 405f77-405f8b call 405e0c GetFileAttributesW 883->884 885 405f58-405f5f call 406873 883->885 884->877 890 405f61-405f64 885->890 891 405f66-405f67 call 405e58 885->891 890->875 890->891 891->883
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C69,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405EC5
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C69,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405F6D
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C69,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00405F7D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                    • String ID: C:\$C:\Users\user~1\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 3248276644-1077792641
                                                                                                                                                                                    • Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                                                                                                                                                                    • Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
                                                                                                                                                                                    • Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                                                                                                                                                                    • Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE
                                                                                                                                                                                    Function 0040605C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 893 40605c-406068 894 406069-40609d GetTickCount GetTempFileNameW 893->894 895 4060ac-4060ae 894->895 896 40609f-4060a1 894->896 898 4060a6-4060a9 895->898 896->894 897 4060a3 896->897 897->898
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040607A
                                                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00406095
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountFileNameTempTick
                                                                                                                                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
                                                                                                                                                                                    • API String ID: 1716503409-3083371207
                                                                                                                                                                                    • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                    • Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                    • Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768
                                                                                                                                                                                    Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 899 4015c1-4015d5 call 402da6 call 405eb7 904 401631-401634 899->904 905 4015d7-4015ea call 405e39 899->905 907 401663-4022f6 call 401423 904->907 908 401636-401655 call 401423 call 40653d SetCurrentDirectoryW 904->908 913 401604-401607 call 405aeb 905->913 914 4015ec-4015ef 905->914 921 402c2a-402c39 907->921 908->921 925 40165b-40165e 908->925 922 40160c-40160e 913->922 914->913 918 4015f1-4015f8 call 405b08 914->918 918->913 929 4015fa-4015fd call 405a6e 918->929 926 401610-401615 922->926 927 401627-40162f 922->927 925->921 930 401624 926->930 931 401617-401622 GetFileAttributesW 926->931 927->904 927->905 934 401602 929->934 930->927 931->927 931->930 934->922
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C69,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405EC5
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                      • Part of subcall function 00405A6E: CreateDirectoryW.KERNELBASE(?,?,C:\Users\user~1\AppData\Local\Temp\), ref: 00405AB1
                                                                                                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,C:\Program Files\Wildix\WIService,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Program Files\Wildix\WIService, xrefs: 00401640
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService
                                                                                                                                                                                    • API String ID: 1892508949-2436880260
                                                                                                                                                                                    • Opcode ID: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
                                                                                                                                                                                    • Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
                                                                                                                                                                                    • Opcode Fuzzy Hash: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E
                                                                                                                                                                                    Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000000,0042C248,00000000,?,?,"C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",?,?,00406672,80000002), ref: 00406451
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,"C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk","C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk","C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",00000000,0042C248), ref: 0040645C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • "C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk", xrefs: 00406412
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                    • String ID: "C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk"
                                                                                                                                                                                    • API String ID: 3356406503-3980487995
                                                                                                                                                                                    • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                                                                                                                    • Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                                                                                                                    • Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8
                                                                                                                                                                                    Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,771B23A0), ref: 004055FA
                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 334405425-0
                                                                                                                                                                                    • Opcode ID: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
                                                                                                                                                                                    • Instruction ID: d1cf9917c249e547a3b1759614bc69e8b445b1996c4dbd71fd6f6dd46acd7470
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A21C231904104FACF11AFA5CE48A9D7A71BF48358F20413BF605B91E1DBBD8A82965D
                                                                                                                                                                                    Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00401C0B
                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32("C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32("C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocFreelstrcatlstrlen
                                                                                                                                                                                    • String ID: "C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk"
                                                                                                                                                                                    • API String ID: 3292104215-3980487995
                                                                                                                                                                                    • Opcode ID: f7499587b74b1f9cb3fce9f730428132cfcdd1475af0708a05741156e8f6fa82
                                                                                                                                                                                    • Instruction ID: 7c0f58a685d1fc6dd3685da305ee1819882fb4420ac17dc2787245939102450a
                                                                                                                                                                                    • Opcode Fuzzy Hash: f7499587b74b1f9cb3fce9f730428132cfcdd1475af0708a05741156e8f6fa82
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B21D872904210EBDB20AFA8EE84A5E73B4EB04715755063BF552F72D0D7B8AC414B9D
                                                                                                                                                                                    Function 00401F12 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00405B63: ShellExecuteExW.SHELL32(?), ref: 00405B72
                                                                                                                                                                                      • Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                                                                                                                                                                      • Part of subcall function 004069B5: GetExitCodeProcess.KERNELBASE(?,?), ref: 004069E8
                                                                                                                                                                                    • CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseCodeExecuteExitHandleObjectProcessShellSingleWait
                                                                                                                                                                                    • String ID: @$C:\Program Files\Wildix\WIService
                                                                                                                                                                                    • API String ID: 165873841-3745962701
                                                                                                                                                                                    • Opcode ID: a67ec0d71784c57903e6e19cce9d8927263f5937a446752ff53b440bc5899183
                                                                                                                                                                                    • Instruction ID: 706d8f23dd4fc365793d21c3b3cee38f3579e955c6bce5a1691758ef83551cc9
                                                                                                                                                                                    • Opcode Fuzzy Hash: a67ec0d71784c57903e6e19cce9d8927263f5937a446752ff53b440bc5899183
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20115B71E042189ADB50EFB9CA49B8CB6F4BF04304F24447AE405F72C1EBBC89459B18
                                                                                                                                                                                    Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
                                                                                                                                                                                    • RegEnumValueW.KERNELBASE(00000000,00000000,?,?), ref: 004025E4
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Program Files\Wildix\WIService\wiservice.exe,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Enum$CloseValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 397863658-0
                                                                                                                                                                                    • Opcode ID: 2ceb002e910c094db02aea1c2c62d66cc74a7b046aa56edd155f21af9fce9564
                                                                                                                                                                                    • Instruction ID: 08080f496e1fbaad801da7c4a2f11cdf7a22a5a493a276a89d416976773fa01e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ceb002e910c094db02aea1c2c62d66cc74a7b046aa56edd155f21af9fce9564
                                                                                                                                                                                    • Instruction Fuzzy Hash: 89017CB1A04105ABEB159F94DE58AAEB66CEF40348F10403AF501B61C0EBB85E44966D
                                                                                                                                                                                    Function 004069B5 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 004069DB
                                                                                                                                                                                    • GetExitCodeProcess.KERNELBASE(?,?), ref: 004069E8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ObjectSingleWait$CodeExitProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2567322000-0
                                                                                                                                                                                    • Opcode ID: 5001a44abd0e5b0949431453b9a2c42ce6d4f473903e6ae1ef305ee8f225f71a
                                                                                                                                                                                    • Instruction ID: f5f2e02d25af80b97bb350a16654da7f97250589dc800b1049f4071f8343982b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5001a44abd0e5b0949431453b9a2c42ce6d4f473903e6ae1ef305ee8f225f71a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CE0D8B1A00118FBDB109F54DE05E9E7B6EDF44750F110033FA01B6590D7B19E25DB94
                                                                                                                                                                                    Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Program Files\Wildix\WIService, xrefs: 00402269
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateInstance
                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService
                                                                                                                                                                                    • API String ID: 542301482-2436880260
                                                                                                                                                                                    • Opcode ID: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
                                                                                                                                                                                    • Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
                                                                                                                                                                                    • Opcode Fuzzy Hash: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
                                                                                                                                                                                    • Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94
                                                                                                                                                                                    Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?,C:\Program Files\Wildix\WIService\wiservice.exe,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3356406503-0
                                                                                                                                                                                    • Opcode ID: dd1b1b3d94faa584660aa564dd852358c6c0cbefcfc3417a0db06bb84b323ca4
                                                                                                                                                                                    • Instruction ID: 3e5dab0bbcc9b7b4348569693e39c51bc0b27c59e8ea0ed6abb05ebc10b9b344
                                                                                                                                                                                    • Opcode Fuzzy Hash: dd1b1b3d94faa584660aa564dd852358c6c0cbefcfc3417a0db06bb84b323ca4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F116D71900219EADF14DFA4DA589AE77B4FF04345B20443BE401B62C0E7B88A45EB5D
                                                                                                                                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                    • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                                                                                                                                                                    • Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
                                                                                                                                                                                    • Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C
                                                                                                                                                                                    Function 00402434 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegDeleteValueW.KERNELBASE(00000000,00000000,00000033), ref: 00402456
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(00000000), ref: 0040245F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseDeleteValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2831762973-0
                                                                                                                                                                                    • Opcode ID: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
                                                                                                                                                                                    • Instruction ID: 30df5d2aec36195d54007c6df5f336708121daf1b93815cec1e8c6dbc8099d71
                                                                                                                                                                                    • Opcode Fuzzy Hash: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
                                                                                                                                                                                    • Instruction Fuzzy Hash: 22F0C232A00120EBDB11ABB89B4DAED72A8AF84314F15443BE141B71C0DAFC5D01866D
                                                                                                                                                                                    Function 00405B20 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00405B56
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3712363035-0
                                                                                                                                                                                    • Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                                                                                                                                                                    • Instruction ID: 0547baa0b497a95b6ed0e8f273b1969b1ac2c9598ef2001c301bcde660c6e2d6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3EE092B4600209BFEB10AB64AE49F7B7AACEB04704F004565BA51E61A1DB78E8158A78
                                                                                                                                                                                    Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                                                                                                                                                                      • Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                                                                                                                                                                      • Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
                                                                                                                                                                                      • Part of subcall function 0040689A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2547128583-0
                                                                                                                                                                                    • Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                                    • Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
                                                                                                                                                                                    • Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E
                                                                                                                                                                                    Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AttributesCreate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 415043291-0
                                                                                                                                                                                    • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                    • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                                                                                                                                                                    • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                                                                                                                                                                    Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                                                                                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00406021
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                    • Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
                                                                                                                                                                                    • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98
                                                                                                                                                                                    Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00403520,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00405AF1
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AFF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1375471231-0
                                                                                                                                                                                    • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                    • Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
                                                                                                                                                                                    • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D
                                                                                                                                                                                    Function 70142B98 Relevance: 1.6, APIs: 1, Instructions: 143registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(00000000), ref: 70142C57
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2541403932.0000000070141000.00000020.00000001.01000000.0000000F.sdmp, Offset: 70140000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2541344551.0000000070140000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541467297.0000000070144000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541534008.0000000070146000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_70140000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                    • Opcode ID: 34e32d994127f49862711d1158d87714eaf33d6c1644250aa8fd8156e2899cf1
                                                                                                                                                                                    • Instruction ID: 0e362ca079c8b6c7ef60fef00898f04557b289f6c55da18e4717b8dbe7c5a310
                                                                                                                                                                                    • Opcode Fuzzy Hash: 34e32d994127f49862711d1158d87714eaf33d6c1644250aa8fd8156e2899cf1
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4F41BE769002089FDB21DFA5DC96B5D3779EB16364FB098A9FC05C7931DA38A8C08B90
                                                                                                                                                                                    Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028AF
                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePointerwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 327478801-0
                                                                                                                                                                                    • Opcode ID: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
                                                                                                                                                                                    • Instruction ID: a13d1cf18dcce6f7d85bed0b4e0fde0de6b16079219dfacd376ffc086bc6f252
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
                                                                                                                                                                                    • Instruction Fuzzy Hash: D3E09271A04105BFDB01EFA5AE499AEB3B8EF44319B10483BF102F00C1DA794D119B2D
                                                                                                                                                                                    Function 004028DE Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindNextFileW.KERNELBASE(00000000,?,?), ref: 004028F2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindNext
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2029273394-0
                                                                                                                                                                                    • Opcode ID: 5a0eca54d12d830a6cf0b67cd5981ecab404d45d89ec6f49a99563b0e2ede8d6
                                                                                                                                                                                    • Instruction ID: db9f6404ebf4ce2de6069d57e227025b0e6a75b8a6eb25932bbfae1af7e2135c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a0eca54d12d830a6cf0b67cd5981ecab404d45d89ec6f49a99563b0e2ede8d6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3EE0E572A041159BDB11DFA5ED88AAE7374EF40314F20447BD102F61D0E7B85A55AB1D
                                                                                                                                                                                    Function 004063D8 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 00406401
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Create
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                                    • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                    • Instruction ID: ccab944935cfefb85f0e849ce69279fb55db75a3b7fb0960311cd9d36817041a
                                                                                                                                                                                    • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 04E0E6B2010109BFEF095F90DC0AD7B3B1DE704300F01892EFD06D4091E6B5AD306675
                                                                                                                                                                                    Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                    • Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                    • Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4
                                                                                                                                                                                    Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                    • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                    • Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                    • Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4
                                                                                                                                                                                    Function 70142A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualProtect.KERNELBASE(7014505C,00000004,00000040,7014504C), ref: 70142A9D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2541403932.0000000070141000.00000020.00000001.01000000.0000000F.sdmp, Offset: 70140000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2541344551.0000000070140000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541467297.0000000070144000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541534008.0000000070146000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_70140000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                    • Opcode ID: 3ce031b4c506b67f5dc998f1a24a55ecb7f4b4a95de88548cec81246f7500f72
                                                                                                                                                                                    • Instruction ID: ae4596901aacfa03b861ab8154ec4e4827322564a23871dd9c7ac695ccd89ee7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3ce031b4c506b67f5dc998f1a24a55ecb7f4b4a95de88548cec81246f7500f72
                                                                                                                                                                                    • Instruction Fuzzy Hash: E4F092BA500284DEC360CF2A8C647093FE0B70B308B74466AF988D7A72E3744444CBA1
                                                                                                                                                                                    Function 004063AA Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C248,?,?,00406438,0042C248,00000000,?,?,"C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",?), ref: 004063CE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                    • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                    • Instruction ID: 4361357c0318622cec318f667d88df30c4c29b75262f7bca7234b06b46464da2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 83D0123210020EBBDF115F91AD01FAB3B5DAB08310F014426FE06E40A1D775D530A764
                                                                                                                                                                                    Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                                                    • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                    • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                                                                                                                                                                    • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                                                                                                                                                                    Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,771B23A0), ref: 004055FA
                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                      • Part of subcall function 00405B20: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
                                                                                                                                                                                      • Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56
                                                                                                                                                                                    • CloseHandle.KERNELBASE(?,?,?,?,?,?), ref: 00401FEB
                                                                                                                                                                                      • Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                                                                                                                                                                      • Part of subcall function 004069B5: GetExitCodeProcess.KERNELBASE(?,?), ref: 004069E8
                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2972824698-0
                                                                                                                                                                                    • Opcode ID: ce2c2b897b5b7a5940bd958f4af0b0a61f650836c27f4d249739cb61e324a33b
                                                                                                                                                                                    • Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce2c2b897b5b7a5940bd958f4af0b0a61f650836c27f4d249739cb61e324a33b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E
                                                                                                                                                                                    Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • Sleep.KERNELBASE(00000000), ref: 004014EA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                                                    • Opcode ID: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
                                                                                                                                                                                    • Instruction ID: 7e4bd3fa72896d3e54e8b4d9ea8ddceac118c8145159a7c2ee745a60f6c60e84
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DD0A773B141018BD704EBFCFE8545E73E8EB503293208C37D402E10D1E678C846461C
                                                                                                                                                                                    Function 701412BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,?,701412DB,?,7014137F,00000019,701411CA,-000000A0), ref: 701412C5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2541403932.0000000070141000.00000020.00000001.01000000.0000000F.sdmp, Offset: 70140000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2541344551.0000000070140000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541467297.0000000070144000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541534008.0000000070146000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_70140000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocGlobal
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3761449716-0
                                                                                                                                                                                    • Opcode ID: 232f6760b2226768eb9ec6fb8a957ec5d9c08dec651cb6c23da15f55f1fcf2ef
                                                                                                                                                                                    • Instruction ID: d387b1d519a766a77e9deb815cf26efd01da970645bbd491af2411d5608350cd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 232f6760b2226768eb9ec6fb8a957ec5d9c08dec651cb6c23da15f55f1fcf2ef
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CB01276A00000DFEF008B65CC06F343254F701301F244010FB04C25B1C1604C108534

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 0040573C
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040574B
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00405788
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 0040578F
                                                                                                                                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
                                                                                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
                                                                                                                                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
                                                                                                                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 0040582B
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040584C
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 0040575A
                                                                                                                                                                                      • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040589E
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004058B3
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004058D7
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000008), ref: 004058DC
                                                                                                                                                                                    • ShowWindow.USER32(00000008), ref: 00405926
                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
                                                                                                                                                                                    • CreatePopupMenu.USER32 ref: 0040596B
                                                                                                                                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040599F
                                                                                                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
                                                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405A00
                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00405A06
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405A1C
                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405A50
                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
                                                                                                                                                                                    • CloseClipboard.USER32 ref: 00405A61
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                    • String ID: {
                                                                                                                                                                                    • API String ID: 590372296-366298937
                                                                                                                                                                                    • Opcode ID: f02b1789a548c21c126c9045b4544d5ada5808600bf44a06586be8ced473be55
                                                                                                                                                                                    • Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
                                                                                                                                                                                    • Opcode Fuzzy Hash: f02b1789a548c21c126c9045b4544d5ada5808600bf44a06586be8ced473be55
                                                                                                                                                                                    • Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58
                                                                                                                                                                                    Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404F1E
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404F29
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
                                                                                                                                                                                    • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
                                                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
                                                                                                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
                                                                                                                                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
                                                                                                                                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
                                                                                                                                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00405000
                                                                                                                                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
                                                                                                                                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102
                                                                                                                                                                                      • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00405144
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 00405162
                                                                                                                                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
                                                                                                                                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
                                                                                                                                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
                                                                                                                                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
                                                                                                                                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
                                                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00405330
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00405340
                                                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
                                                                                                                                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 00405462
                                                                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 004054EA
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 004054F5
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004054FC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                    • String ID: $M$N
                                                                                                                                                                                    • API String ID: 2564846305-813528018
                                                                                                                                                                                    • Opcode ID: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
                                                                                                                                                                                    • Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
                                                                                                                                                                                    • Opcode Fuzzy Hash: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
                                                                                                                                                                                    • Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58
                                                                                                                                                                                    Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
                                                                                                                                                                                    • ShowWindow.USER32(?), ref: 00403FF6
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404008
                                                                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00404021
                                                                                                                                                                                    • DestroyWindow.USER32 ref: 00404035
                                                                                                                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 0040406D
                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
                                                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00404088
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00404133
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0040413D
                                                                                                                                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00404157
                                                                                                                                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 0040424E
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?), ref: 0040426F
                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 00404281
                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 0040429C
                                                                                                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
                                                                                                                                                                                    • EnableMenuItem.USER32(00000000), ref: 004042B9
                                                                                                                                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
                                                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
                                                                                                                                                                                    • lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
                                                                                                                                                                                    • SetWindowTextW.USER32(?,0042D268), ref: 00404322
                                                                                                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 00404456
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1860320154-0
                                                                                                                                                                                    • Opcode ID: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
                                                                                                                                                                                    • Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
                                                                                                                                                                                    • Opcode Fuzzy Hash: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
                                                                                                                                                                                    • Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D
                                                                                                                                                                                    Function 00404658 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040470A
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 00404738
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 00404759
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 004047D4
                                                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 004047DB
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404806
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00404857
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040485A
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00404873
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00404876
                                                                                                                                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
                                                                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • N, xrefs: 004047F4
                                                                                                                                                                                    • "C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk", xrefs: 00404835
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                    • String ID: "C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk"$N
                                                                                                                                                                                    • API String ID: 3103080414-786726994
                                                                                                                                                                                    • Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                                                                                                                                                                    • Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98
                                                                                                                                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                    • DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                    • String ID: F
                                                                                                                                                                                    • API String ID: 941294808-1304234792
                                                                                                                                                                                    • Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                                                                                                                                                                    • Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
                                                                                                                                                                                    • Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4
                                                                                                                                                                                    Function 0040498A Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 004049D9
                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00404A03
                                                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
                                                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404ABF
                                                                                                                                                                                    • lstrcmpiW.KERNEL32("C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",0042D268,00000000,?,?), ref: 00404AF1
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,"C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk"), ref: 00404AFD
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F
                                                                                                                                                                                      • Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94
                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00406827
                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00406836
                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 0040683B
                                                                                                                                                                                      • Part of subcall function 004067C4: CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 0040684E
                                                                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
                                                                                                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED
                                                                                                                                                                                      • Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                                                                                                                                                                      • Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
                                                                                                                                                                                      • Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: "C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk"$A$C:\Program Files\Wildix\WIService
                                                                                                                                                                                    • API String ID: 2624150263-3131688590
                                                                                                                                                                                    • Opcode ID: a166dbd395641350e1cfd01e9a5963c0b70786fd40c7a63bf9b40c361ea88958
                                                                                                                                                                                    • Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
                                                                                                                                                                                    • Opcode Fuzzy Hash: a166dbd395641350e1cfd01e9a5963c0b70786fd40c7a63bf9b40c361ea88958
                                                                                                                                                                                    • Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D
                                                                                                                                                                                    Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7
                                                                                                                                                                                      • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                                                                                                                                                                      • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
                                                                                                                                                                                    • wsprintfA.USER32 ref: 00406202
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
                                                                                                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
                                                                                                                                                                                    • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 004062EB
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2
                                                                                                                                                                                      • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                      • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                    • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                    • API String ID: 2171350718-461813615
                                                                                                                                                                                    • Opcode ID: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
                                                                                                                                                                                    • Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D
                                                                                                                                                                                    Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 0040451D
                                                                                                                                                                                    • GetSysColor.USER32(00000000), ref: 0040455B
                                                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00404567
                                                                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 00404573
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 00404586
                                                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00404596
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004045B0
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 004045BA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2320649405-0
                                                                                                                                                                                    • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                                    • Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
                                                                                                                                                                                    • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54
                                                                                                                                                                                    Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                                                                                                                                                                      • Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124
                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                    • String ID: 9
                                                                                                                                                                                    • API String ID: 163830602-2366072709
                                                                                                                                                                                    • Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                                                                                                                                                                    • Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
                                                                                                                                                                                    • Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                                                                                                                                                                    • Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                                                                                                                                                                                    Function 70142480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 701425C2
                                                                                                                                                                                      • Part of subcall function 701412CC: lstrcpynW.KERNEL32(00000000,?,7014137F,00000019,701411CA,-000000A0), ref: 701412DC
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040), ref: 70142548
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 70142563
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2541403932.0000000070141000.00000020.00000001.01000000.0000000F.sdmp, Offset: 70140000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2541344551.0000000070140000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541467297.0000000070144000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541534008.0000000070146000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_70140000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                                                                                                                                                    • String ID: @H3w
                                                                                                                                                                                    • API String ID: 4216380887-4275297014
                                                                                                                                                                                    • Opcode ID: f07064dc4c262f96e359945ee84fdcbc24ffd8c4d193b5cb9bbc544ab677ba64
                                                                                                                                                                                    • Instruction ID: f2fcd8ff2a7da2b42eed530e7799ebd174f9b62b59fc2b00966a7c53e1d6b25d
                                                                                                                                                                                    • Opcode Fuzzy Hash: f07064dc4c262f96e359945ee84fdcbc24ffd8c4d193b5cb9bbc544ab677ba64
                                                                                                                                                                                    • Instruction Fuzzy Hash: F54101B1008305DFC314DF25D850AAE77F8FB54320F6199ADF9468BAB1E770A880CB61
                                                                                                                                                                                    Function 0040559F Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                    • lstrlenW.KERNEL32(00403418,0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                    • lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,771B23A0), ref: 004055FA
                                                                                                                                                                                    • SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32("C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32("C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1495540970-0
                                                                                                                                                                                    • Opcode ID: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
                                                                                                                                                                                    • Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68
                                                                                                                                                                                    Function 004067C4 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00406827
                                                                                                                                                                                    • CharNextW.USER32(?,?,?,00000000,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00406836
                                                                                                                                                                                    • CharNextW.USER32(?,00000000,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 0040683B
                                                                                                                                                                                    • CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,?,00403508,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 0040684E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Char$Next$Prev
                                                                                                                                                                                    • String ID: *?|<>/":$C:\Users\user~1\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 589700163-1439852002
                                                                                                                                                                                    • Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                                    • Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD
                                                                                                                                                                                    Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
                                                                                                                                                                                    • GetMessagePos.USER32 ref: 00404E77
                                                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404E91
                                                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
                                                                                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                                                                                                    • String ID: f
                                                                                                                                                                                    • API String ID: 41195575-1993550816
                                                                                                                                                                                    • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                    • Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
                                                                                                                                                                                    • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5
                                                                                                                                                                                    Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                                                                                                                                                                    • MulDiv.KERNEL32(01858A60,00000064,0185B4D8), ref: 00402FDC
                                                                                                                                                                                    • wsprintfW.USER32 ref: 00402FEC
                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00402FFC
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • verifying installer: %d%%, xrefs: 00402FE6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                    • String ID: verifying installer: %d%%
                                                                                                                                                                                    • API String ID: 1451636040-82062127
                                                                                                                                                                                    • Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                                                                                                                                                                    • Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69
                                                                                                                                                                                    Function 70142655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 701412BB: GlobalAlloc.KERNELBASE(00000040,?,701412DB,?,7014137F,00000019,701411CA,-000000A0), ref: 701412C5
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 70142743
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 70142778
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2541403932.0000000070141000.00000020.00000001.01000000.0000000F.sdmp, Offset: 70140000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2541344551.0000000070140000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541467297.0000000070144000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541534008.0000000070146000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_70140000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$Alloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1780285237-0
                                                                                                                                                                                    • Opcode ID: 8051656ec489b1d0ea7d85a0f10fbd6128f78a8df843869822358f03068f19f9
                                                                                                                                                                                    • Instruction ID: 016ea0a4733df400a960e0c888c6a721a939f338a088920e1a1a936d451afdee
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8051656ec489b1d0ea7d85a0f10fbd6128f78a8df843869822358f03068f19f9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4531FE72604101EFC7268F65CC84D6E77BAFB963023B161BCF60283A70C77068949B61
                                                                                                                                                                                    Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00402A06
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402A19
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2667972263-0
                                                                                                                                                                                    • Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                                                                                                                                                                    • Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8
                                                                                                                                                                                    Function 70141979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2541403932.0000000070141000.00000020.00000001.01000000.0000000F.sdmp, Offset: 70140000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2541344551.0000000070140000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541467297.0000000070144000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541534008.0000000070146000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_70140000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeGlobal
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2979337801-0
                                                                                                                                                                                    • Opcode ID: 9663b21e0e4491f466ce2cb39df856f6b83d216bcee69ad9bc2e043254307106
                                                                                                                                                                                    • Instruction ID: 4a997a0354609acc198b81c91ebff1954f469abc66da183c564d5b20e838d6a2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 9663b21e0e4491f466ce2cb39df856f6b83d216bcee69ad9bc2e043254307106
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7651F632D01118AECB029FA4C94459EBBBAEB40358F73A15DF806F3734E771AD458791
                                                                                                                                                                                    Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00401D9A
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00401DE5
                                                                                                                                                                                    • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                                                                                                                                                                    • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401E39
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1849352358-0
                                                                                                                                                                                    • Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                                                                                                                                                                    • Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98
                                                                                                                                                                                    Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(?), ref: 00401E51
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                                                                                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32("C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32("C:\Windows\explorer.exe" "C:\Program Files\Wildix\WIService\proxyex.lnk",00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                    • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2584051700-0
                                                                                                                                                                                    • Opcode ID: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
                                                                                                                                                                                    • Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED
                                                                                                                                                                                    Function 701416BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,701422D8,?,00000808), ref: 701416D5
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,701422D8,?,00000808), ref: 701416DC
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,701422D8,?,00000808), ref: 701416F0
                                                                                                                                                                                    • GetProcAddress.KERNEL32(701422D8,00000000), ref: 701416F7
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 70141700
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2541403932.0000000070141000.00000020.00000001.01000000.0000000F.sdmp, Offset: 70140000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2541344551.0000000070140000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541467297.0000000070144000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541534008.0000000070146000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_70140000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1148316912-0
                                                                                                                                                                                    • Opcode ID: e6f2d185303f9d7da325a3e523a56c8319413de26242421ef53a440e99725a78
                                                                                                                                                                                    • Instruction ID: 65430d0b2a6327412792ca2c2d0a33841e10ae59ec9e096cdc62b14432ee9e85
                                                                                                                                                                                    • Opcode Fuzzy Hash: e6f2d185303f9d7da325a3e523a56c8319413de26242421ef53a440e99725a78
                                                                                                                                                                                    • Instruction Fuzzy Hash: 61F0AC732061387BD6211BA79C4CDDBBE9CEF8B2F5B210225F728925B086A25D11D7F1
                                                                                                                                                                                    Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Timeout
                                                                                                                                                                                    • String ID: !
                                                                                                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                                                                                                    • Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                                                                                                                                                                    • Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
                                                                                                                                                                                    • Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                                                                                                                                                                    • Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                                                                                                                                                                                    Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                                                                                                                                                                    • wsprintfW.USER32 ref: 00404DF0
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                    • String ID: %u.%u%s%s
                                                                                                                                                                                    • API String ID: 3540041739-3551169577
                                                                                                                                                                                    • Opcode ID: 8eaa60c285ed2ca3ba3cc070ccd72c3506245c9ef86633ed67cf81484c09c26b
                                                                                                                                                                                    • Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8eaa60c285ed2ca3ba3cc070ccd72c3506245c9ef86633ed67cf81484c09c26b
                                                                                                                                                                                    • Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8
                                                                                                                                                                                    Function 00405EB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C69,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 00405EC5
                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext
                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                    • API String ID: 3213498283-3404278061
                                                                                                                                                                                    • Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                                                                                                                                                                                    • Instruction ID: b7f7aa27055ddc775a1b47344aef2f77b81fec2ea34db2f3ccdabfa21b6bce3d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7BF0F631810E1296DB317B548C44E7B97BCEB64354B04843BD741B71C0D3BC8D808BDA
                                                                                                                                                                                    Function 00405E0C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,0040351A,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00405E12
                                                                                                                                                                                    • CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,0040351A,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,00403810), ref: 00405E1C
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014), ref: 00405E2E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405E0C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharPrevlstrcatlstrlen
                                                                                                                                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 2659869361-2382934351
                                                                                                                                                                                    • Opcode ID: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                                                                                                                                                    • Instruction ID: 1a595bf39a0a3392b99637bd72bd9cca8666c17676e511d5d4bf90e80f698eee
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7317fb0b60a0da6156192e69c80d181f5022b3d5f83b8f009beaa75eacd33bdb
                                                                                                                                                                                    • Instruction Fuzzy Hash: A8D0A731101930BAC2127B49EC08DDF62ACAE89340341443BF145B30A4CB7C5E5187FD
                                                                                                                                                                                    Function 701410E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 70141171
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 701411E3
                                                                                                                                                                                    • GlobalFree.KERNEL32 ref: 7014124A
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 7014129B
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 701412B1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2541403932.0000000070141000.00000020.00000001.01000000.0000000F.sdmp, Offset: 70140000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2541344551.0000000070140000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541467297.0000000070144000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2541534008.0000000070146000.00000002.00000001.01000000.0000000F.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_70140000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$Alloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1780285237-0
                                                                                                                                                                                    • Opcode ID: 133d9b08a57a34310c712742fc0513156ba9fa786bdc5f5df08181b091ff0a62
                                                                                                                                                                                    • Instruction ID: f4c3bc4fde7445723cf6792ef03e0b5dd2659b3d4b42defcf1b8a34379be9dbc
                                                                                                                                                                                    • Opcode Fuzzy Hash: 133d9b08a57a34310c712742fc0513156ba9fa786bdc5f5df08181b091ff0a62
                                                                                                                                                                                    • Instruction Fuzzy Hash: D8516ABA9002019FD700CF69D955E5A7BB8FB0A715B325129FA46DBB31E7B4E900CB60
                                                                                                                                                                                    Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(C:\Program Files\Wildix\WIService\proxyex.lnk), ref: 00402695
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen
                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService\proxyex.lnk$C:\Program Files\Wildix\WIService\wiservice.exe
                                                                                                                                                                                    • API String ID: 1659193697-2636579033
                                                                                                                                                                                    • Opcode ID: fbd5ee5e4de60feb08ffa62b35b3018c7a91bb86716aa8782bbd76b946f17d50
                                                                                                                                                                                    • Instruction ID: edf8e5a6553ae7ef136857fb61bcac29e22bbc78049b19fa22ca3c34260198f3
                                                                                                                                                                                    • Opcode Fuzzy Hash: fbd5ee5e4de60feb08ffa62b35b3018c7a91bb86716aa8782bbd76b946f17d50
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2611EB71A00215BBCB10BFB18E4AAAE7665AF40744F25443FE002B71C2EAFC8891565E
                                                                                                                                                                                    Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040304A
                                                                                                                                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2102729457-0
                                                                                                                                                                                    • Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                                                                                                                                                                    • Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
                                                                                                                                                                                    • Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                                                                                                                                                                    • Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D
                                                                                                                                                                                    Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 00405542
                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 00405593
                                                                                                                                                                                      • Part of subcall function 004044E5: SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004044F7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                                                                                                    • Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                                                                                                                                                                    • Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                                                                                                                                                                    • Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69
                                                                                                                                                                                    Function 00403B57 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?,771B3420,00000000,C:\Users\user~1\AppData\Local\Temp\,00403B2F,00403A5E,?), ref: 00403B71
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00403B78
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403B57
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$GlobalLibrary
                                                                                                                                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\
                                                                                                                                                                                    • API String ID: 1100898210-2382934351
                                                                                                                                                                                    • Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                                                                                                                                                                    • Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC
                                                                                                                                                                                    Function 00405E58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(80000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,004030E9,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00405E5E
                                                                                                                                                                                    • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,004030E9,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003), ref: 00405E6E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp, xrefs: 00405E58
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharPrevlstrlen
                                                                                                                                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp
                                                                                                                                                                                    • API String ID: 2709904686-4128723618
                                                                                                                                                                                    • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                                    • Instruction ID: d2786f61c86b799b8b6ecf14661ff9643eaf9d362a95097130d0805b1e4d2bc4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                                    • Instruction Fuzzy Hash: 36D0A7B3410D20DAC3126718DC04DAF73ECFF6134074A442AF481A71A4D7785E8186ED
                                                                                                                                                                                    Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
                                                                                                                                                                                    • CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000007.00000002.2539117470.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000007.00000002.2539018544.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539219124.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539308395.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000007.00000002.2539847812.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_7_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 190613189-0
                                                                                                                                                                                    • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                    • Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:23.7%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                    Total number of Nodes:1345
                                                                                                                                                                                    Total number of Limit Nodes:26
                                                                                                                                                                                    execution_graph 2914 401941 2915 401943 2914->2915 2920 402da6 2915->2920 2921 402db2 2920->2921 2962 40657a 2921->2962 2924 401948 2926 405c49 2924->2926 3004 405f14 2926->3004 2929 405c71 DeleteFileW 2960 401951 2929->2960 2930 405c88 2931 405da8 2930->2931 3018 40653d lstrcpynW 2930->3018 2931->2960 3048 406873 FindFirstFileW 2931->3048 2933 405cae 2934 405cc1 2933->2934 2935 405cb4 lstrcatW 2933->2935 3019 405e58 lstrlenW 2934->3019 2937 405cc7 2935->2937 2939 405cd7 lstrcatW 2937->2939 2941 405ce2 lstrlenW FindFirstFileW 2937->2941 2939->2941 2941->2931 2953 405d04 2941->2953 2944 405d8b FindNextFileW 2948 405da1 FindClose 2944->2948 2944->2953 2945 405c01 5 API calls 2947 405de3 2945->2947 2949 405de7 2947->2949 2950 405dfd 2947->2950 2948->2931 2954 40559f 24 API calls 2949->2954 2949->2960 2952 40559f 24 API calls 2950->2952 2952->2960 2953->2944 2955 405c49 60 API calls 2953->2955 2957 40559f 24 API calls 2953->2957 3023 40653d lstrcpynW 2953->3023 3024 405c01 2953->3024 3032 40559f 2953->3032 3043 4062fd MoveFileExW 2953->3043 2956 405df4 2954->2956 2955->2953 2958 4062fd 36 API calls 2956->2958 2957->2944 2958->2960 2966 406587 2962->2966 2963 4067aa 2964 402dd3 2963->2964 2995 40653d lstrcpynW 2963->2995 2964->2924 2979 4067c4 2964->2979 2966->2963 2967 406778 lstrlenW 2966->2967 2970 40657a 10 API calls 2966->2970 2971 40668f GetSystemDirectoryW 2966->2971 2973 4066a2 GetWindowsDirectoryW 2966->2973 2974 406719 lstrcatW 2966->2974 2975 40657a 10 API calls 2966->2975 2976 4067c4 5 API calls 2966->2976 2977 4066d1 SHGetSpecialFolderLocation 2966->2977 2988 40640b 2966->2988 2993 406484 wsprintfW 2966->2993 2994 40653d lstrcpynW 2966->2994 2967->2966 2970->2967 2971->2966 2973->2966 2974->2966 2975->2966 2976->2966 2977->2966 2978 4066e9 SHGetPathFromIDListW CoTaskMemFree 2977->2978 2978->2966 2985 4067d1 2979->2985 2980 406847 2981 40684c CharPrevW 2980->2981 2983 40686d 2980->2983 2981->2980 2982 40683a CharNextW 2982->2980 2982->2985 2983->2924 2985->2980 2985->2982 2986 406826 CharNextW 2985->2986 2987 406835 CharNextW 2985->2987 3000 405e39 2985->3000 2986->2985 2987->2982 2996 4063aa 2988->2996 2991 40646f 2991->2966 2992 40643f RegQueryValueExW RegCloseKey 2992->2991 2993->2966 2994->2966 2995->2964 2997 4063b9 2996->2997 2998 4063c2 RegOpenKeyExW 2997->2998 2999 4063bd 2997->2999 2998->2999 2999->2991 2999->2992 3001 405e3f 3000->3001 3002 405e55 3001->3002 3003 405e46 CharNextW 3001->3003 3002->2985 3003->3001 3054 40653d lstrcpynW 3004->3054 3006 405f25 3055 405eb7 CharNextW CharNextW 3006->3055 3009 405c69 3009->2929 3009->2930 3010 4067c4 5 API calls 3016 405f3b 3010->3016 3011 405f6c lstrlenW 3012 405f77 3011->3012 3011->3016 3014 405e0c 3 API calls 3012->3014 3013 406873 2 API calls 3013->3016 3015 405f7c GetFileAttributesW 3014->3015 3015->3009 3016->3009 3016->3011 3016->3013 3017 405e58 2 API calls 3016->3017 3017->3011 3018->2933 3020 405e66 3019->3020 3021 405e78 3020->3021 3022 405e6c CharPrevW 3020->3022 3021->2937 3022->3020 3022->3021 3023->2953 3061 406008 GetFileAttributesW 3024->3061 3027 405c2e 3027->2953 3028 405c24 DeleteFileW 3030 405c2a 3028->3030 3029 405c1c RemoveDirectoryW 3029->3030 3030->3027 3031 405c3a SetFileAttributesW 3030->3031 3031->3027 3033 4055ba 3032->3033 3042 40565c 3032->3042 3034 4055d6 lstrlenW 3033->3034 3035 40657a 17 API calls 3033->3035 3036 4055e4 lstrlenW 3034->3036 3037 4055ff 3034->3037 3035->3034 3038 4055f6 lstrcatW 3036->3038 3036->3042 3039 405612 3037->3039 3040 405605 SetWindowTextW 3037->3040 3038->3037 3041 405618 SendMessageW SendMessageW SendMessageW 3039->3041 3039->3042 3040->3039 3041->3042 3042->2953 3044 406320 3043->3044 3045 406311 3043->3045 3044->2953 3064 406183 3045->3064 3049 405dcd 3048->3049 3050 406889 FindClose 3048->3050 3049->2960 3051 405e0c lstrlenW CharPrevW 3049->3051 3050->3049 3052 405dd7 3051->3052 3053 405e28 lstrcatW 3051->3053 3052->2945 3053->3052 3054->3006 3056 405ed4 3055->3056 3059 405ee6 3055->3059 3058 405ee1 CharNextW 3056->3058 3056->3059 3057 405f0a 3057->3009 3057->3010 3058->3057 3059->3057 3060 405e39 CharNextW 3059->3060 3060->3059 3062 405c0d 3061->3062 3063 40601a SetFileAttributesW 3061->3063 3062->3027 3062->3028 3062->3029 3063->3062 3065 4061b3 3064->3065 3066 4061d9 GetShortPathNameW 3064->3066 3091 40602d GetFileAttributesW CreateFileW 3065->3091 3068 4062f8 3066->3068 3069 4061ee 3066->3069 3068->3044 3069->3068 3071 4061f6 wsprintfA 3069->3071 3070 4061bd CloseHandle GetShortPathNameW 3070->3068 3072 4061d1 3070->3072 3073 40657a 17 API calls 3071->3073 3072->3066 3072->3068 3074 40621e 3073->3074 3092 40602d GetFileAttributesW CreateFileW 3074->3092 3076 40622b 3076->3068 3077 40623a GetFileSize GlobalAlloc 3076->3077 3078 4062f1 CloseHandle 3077->3078 3079 40625c 3077->3079 3078->3068 3093 4060b0 ReadFile 3079->3093 3084 40627b lstrcpyA 3087 40629d 3084->3087 3085 40628f 3086 405f92 4 API calls 3085->3086 3086->3087 3088 4062d4 SetFilePointer 3087->3088 3100 4060df WriteFile 3088->3100 3091->3070 3092->3076 3094 4060ce 3093->3094 3094->3078 3095 405f92 lstrlenA 3094->3095 3096 405fd3 lstrlenA 3095->3096 3097 405fdb 3096->3097 3098 405fac lstrcmpiA 3096->3098 3097->3084 3097->3085 3098->3097 3099 405fca CharNextA 3098->3099 3099->3096 3101 4060fd GlobalFree 3100->3101 3101->3078 3102 4015c1 3103 402da6 17 API calls 3102->3103 3104 4015c8 3103->3104 3105 405eb7 4 API calls 3104->3105 3119 4015d1 3105->3119 3106 401631 3108 401663 3106->3108 3109 401636 3106->3109 3107 405e39 CharNextW 3107->3119 3111 401423 24 API calls 3108->3111 3129 401423 3109->3129 3118 40165b 3111->3118 3116 40164a SetCurrentDirectoryW 3116->3118 3117 401617 GetFileAttributesW 3117->3119 3119->3106 3119->3107 3119->3117 3121 405b08 3119->3121 3124 405a6e CreateDirectoryW 3119->3124 3133 405aeb CreateDirectoryW 3119->3133 3136 40690a GetModuleHandleA 3121->3136 3125 405abb 3124->3125 3126 405abf GetLastError 3124->3126 3125->3119 3126->3125 3127 405ace SetFileSecurityW 3126->3127 3127->3125 3128 405ae4 GetLastError 3127->3128 3128->3125 3130 40559f 24 API calls 3129->3130 3131 401431 3130->3131 3132 40653d lstrcpynW 3131->3132 3132->3116 3134 405afb 3133->3134 3135 405aff GetLastError 3133->3135 3134->3119 3135->3134 3137 406930 GetProcAddress 3136->3137 3138 406926 3136->3138 3140 405b0f 3137->3140 3142 40689a GetSystemDirectoryW 3138->3142 3140->3119 3141 40692c 3141->3137 3141->3140 3143 4068bc wsprintfW LoadLibraryExW 3142->3143 3143->3141 3687 404943 3688 404953 3687->3688 3689 404979 3687->3689 3694 404499 3688->3694 3697 404500 3689->3697 3693 404960 SetDlgItemTextW 3693->3689 3695 40657a 17 API calls 3694->3695 3696 4044a4 SetDlgItemTextW 3695->3696 3696->3693 3698 4045c3 3697->3698 3699 404518 GetWindowLongW 3697->3699 3699->3698 3700 40452d 3699->3700 3700->3698 3701 40455a GetSysColor 3700->3701 3702 40455d 3700->3702 3701->3702 3703 404563 SetTextColor 3702->3703 3704 40456d SetBkMode 3702->3704 3703->3704 3705 404585 GetSysColor 3704->3705 3706 40458b 3704->3706 3705->3706 3707 404592 SetBkColor 3706->3707 3708 40459c 3706->3708 3707->3708 3708->3698 3709 4045b6 CreateBrushIndirect 3708->3709 3710 4045af DeleteObject 3708->3710 3709->3698 3710->3709 3711 401c43 3712 402d84 17 API calls 3711->3712 3713 401c4a 3712->3713 3714 402d84 17 API calls 3713->3714 3715 401c57 3714->3715 3716 401c6c 3715->3716 3717 402da6 17 API calls 3715->3717 3718 402da6 17 API calls 3716->3718 3722 401c7c 3716->3722 3717->3716 3718->3722 3719 401cd3 3721 402da6 17 API calls 3719->3721 3720 401c87 3723 402d84 17 API calls 3720->3723 3725 401cd8 3721->3725 3722->3719 3722->3720 3724 401c8c 3723->3724 3726 402d84 17 API calls 3724->3726 3727 402da6 17 API calls 3725->3727 3728 401c98 3726->3728 3729 401ce1 FindWindowExW 3727->3729 3730 401cc3 SendMessageW 3728->3730 3731 401ca5 SendMessageTimeoutW 3728->3731 3732 401d03 3729->3732 3730->3732 3731->3732 3733 4028c4 3734 4028ca 3733->3734 3735 4028d2 FindClose 3734->3735 3736 402c2a 3734->3736 3735->3736 3740 4016cc 3741 402da6 17 API calls 3740->3741 3742 4016d2 GetFullPathNameW 3741->3742 3743 4016ec 3742->3743 3749 40170e 3742->3749 3746 406873 2 API calls 3743->3746 3743->3749 3744 401723 GetShortPathNameW 3745 402c2a 3744->3745 3747 4016fe 3746->3747 3747->3749 3750 40653d lstrcpynW 3747->3750 3749->3744 3749->3745 3750->3749 3751 401e4e GetDC 3752 402d84 17 API calls 3751->3752 3753 401e60 GetDeviceCaps MulDiv ReleaseDC 3752->3753 3754 402d84 17 API calls 3753->3754 3755 401e91 3754->3755 3756 40657a 17 API calls 3755->3756 3757 401ece CreateFontIndirectW 3756->3757 3758 402638 3757->3758 3759 4045cf lstrcpynW lstrlenW 3760 402950 3761 402da6 17 API calls 3760->3761 3763 40295c 3761->3763 3762 402972 3765 406008 2 API calls 3762->3765 3763->3762 3764 402da6 17 API calls 3763->3764 3764->3762 3766 402978 3765->3766 3788 40602d GetFileAttributesW CreateFileW 3766->3788 3768 402985 3769 402a3b 3768->3769 3770 4029a0 GlobalAlloc 3768->3770 3771 402a23 3768->3771 3772 402a42 DeleteFileW 3769->3772 3773 402a55 3769->3773 3770->3771 3774 4029b9 3770->3774 3775 4032b4 31 API calls 3771->3775 3772->3773 3789 4034e5 SetFilePointer 3774->3789 3777 402a30 CloseHandle 3775->3777 3777->3769 3778 4029bf 3779 4034cf ReadFile 3778->3779 3780 4029c8 GlobalAlloc 3779->3780 3781 4029d8 3780->3781 3782 402a0c 3780->3782 3783 4032b4 31 API calls 3781->3783 3784 4060df WriteFile 3782->3784 3787 4029e5 3783->3787 3785 402a18 GlobalFree 3784->3785 3785->3771 3786 402a03 GlobalFree 3786->3782 3787->3786 3788->3768 3789->3778 3790 401956 3791 402da6 17 API calls 3790->3791 3792 40195d lstrlenW 3791->3792 3793 402638 3792->3793 3610 4014d7 3611 402d84 17 API calls 3610->3611 3612 4014dd Sleep 3611->3612 3614 402c2a 3612->3614 3615 4020d8 3616 4020ea 3615->3616 3626 40219c 3615->3626 3617 402da6 17 API calls 3616->3617 3619 4020f1 3617->3619 3618 401423 24 API calls 3624 4022f6 3618->3624 3620 402da6 17 API calls 3619->3620 3621 4020fa 3620->3621 3622 402110 LoadLibraryExW 3621->3622 3623 402102 GetModuleHandleW 3621->3623 3625 402121 3622->3625 3622->3626 3623->3622 3623->3625 3635 406979 3625->3635 3626->3618 3629 402132 3632 401423 24 API calls 3629->3632 3633 402142 3629->3633 3630 40216b 3631 40559f 24 API calls 3630->3631 3631->3633 3632->3633 3633->3624 3634 40218e FreeLibrary 3633->3634 3634->3624 3640 40655f WideCharToMultiByte 3635->3640 3637 406996 3638 40699d GetProcAddress 3637->3638 3639 40212c 3637->3639 3638->3639 3639->3629 3639->3630 3640->3637 3794 404658 3795 404670 3794->3795 3801 40478a 3794->3801 3802 404499 18 API calls 3795->3802 3796 4047f4 3797 4048be 3796->3797 3798 4047fe GetDlgItem 3796->3798 3803 404500 8 API calls 3797->3803 3799 404818 3798->3799 3800 40487f 3798->3800 3799->3800 3807 40483e SendMessageW LoadCursorW SetCursor 3799->3807 3800->3797 3808 404891 3800->3808 3801->3796 3801->3797 3804 4047c5 GetDlgItem SendMessageW 3801->3804 3805 4046d7 3802->3805 3806 4048b9 3803->3806 3827 4044bb EnableWindow 3804->3827 3810 404499 18 API calls 3805->3810 3831 404907 3807->3831 3813 4048a7 3808->3813 3814 404897 SendMessageW 3808->3814 3811 4046e4 CheckDlgButton 3810->3811 3825 4044bb EnableWindow 3811->3825 3813->3806 3818 4048ad SendMessageW 3813->3818 3814->3813 3815 4047ef 3828 4048e3 3815->3828 3818->3806 3820 404702 GetDlgItem 3826 4044ce SendMessageW 3820->3826 3822 404718 SendMessageW 3823 404735 GetSysColor 3822->3823 3824 40473e SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 3822->3824 3823->3824 3824->3806 3825->3820 3826->3822 3827->3815 3829 4048f1 3828->3829 3830 4048f6 SendMessageW 3828->3830 3829->3830 3830->3796 3834 405b63 ShellExecuteExW 3831->3834 3833 40486d LoadCursorW SetCursor 3833->3800 3834->3833 3835 402b59 3836 402b60 3835->3836 3837 402bab 3835->3837 3840 402d84 17 API calls 3836->3840 3843 402ba9 3836->3843 3838 40690a 5 API calls 3837->3838 3839 402bb2 3838->3839 3841 402da6 17 API calls 3839->3841 3842 402b6e 3840->3842 3844 402bbb 3841->3844 3845 402d84 17 API calls 3842->3845 3844->3843 3846 402bbf IIDFromString 3844->3846 3848 402b7a 3845->3848 3846->3843 3847 402bce 3846->3847 3847->3843 3853 40653d lstrcpynW 3847->3853 3852 406484 wsprintfW 3848->3852 3851 402beb CoTaskMemFree 3851->3843 3852->3843 3853->3851 3664 40175c 3665 402da6 17 API calls 3664->3665 3666 401763 3665->3666 3667 40605c 2 API calls 3666->3667 3668 40176a 3667->3668 3669 40605c 2 API calls 3668->3669 3669->3668 3854 401d5d 3855 402d84 17 API calls 3854->3855 3856 401d6e SetWindowLongW 3855->3856 3857 402c2a 3856->3857 3670 4028de 3671 4028e6 3670->3671 3672 4028ea FindNextFileW 3671->3672 3675 4028fc 3671->3675 3673 402943 3672->3673 3672->3675 3676 40653d lstrcpynW 3673->3676 3676->3675 3858 4056de 3859 405888 3858->3859 3860 4056ff GetDlgItem GetDlgItem GetDlgItem 3858->3860 3861 405891 GetDlgItem CreateThread CloseHandle 3859->3861 3862 4058b9 3859->3862 3903 4044ce SendMessageW 3860->3903 3861->3862 3865 4058e4 3862->3865 3866 4058d0 ShowWindow ShowWindow 3862->3866 3867 405909 3862->3867 3864 40576f 3869 405776 GetClientRect GetSystemMetrics SendMessageW SendMessageW 3864->3869 3868 405944 3865->3868 3871 4058f8 3865->3871 3872 40591e ShowWindow 3865->3872 3905 4044ce SendMessageW 3866->3905 3873 404500 8 API calls 3867->3873 3868->3867 3876 405952 SendMessageW 3868->3876 3874 4057e4 3869->3874 3875 4057c8 SendMessageW SendMessageW 3869->3875 3906 404472 3871->3906 3879 405930 3872->3879 3880 40593e 3872->3880 3878 405917 3873->3878 3882 4057f7 3874->3882 3883 4057e9 SendMessageW 3874->3883 3875->3874 3876->3878 3884 40596b CreatePopupMenu 3876->3884 3885 40559f 24 API calls 3879->3885 3881 404472 SendMessageW 3880->3881 3881->3868 3887 404499 18 API calls 3882->3887 3883->3882 3886 40657a 17 API calls 3884->3886 3885->3880 3888 40597b AppendMenuW 3886->3888 3889 405807 3887->3889 3890 405998 GetWindowRect 3888->3890 3891 4059ab TrackPopupMenu 3888->3891 3892 405810 ShowWindow 3889->3892 3893 405844 GetDlgItem SendMessageW 3889->3893 3890->3891 3891->3878 3894 4059c6 3891->3894 3895 405833 3892->3895 3896 405826 ShowWindow 3892->3896 3893->3878 3897 40586b SendMessageW SendMessageW 3893->3897 3898 4059e2 SendMessageW 3894->3898 3904 4044ce SendMessageW 3895->3904 3896->3895 3897->3878 3898->3898 3899 4059ff OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 3898->3899 3901 405a24 SendMessageW 3899->3901 3901->3901 3902 405a4d GlobalUnlock SetClipboardData CloseClipboard 3901->3902 3902->3878 3903->3864 3904->3893 3905->3865 3907 404479 3906->3907 3908 40447f SendMessageW 3906->3908 3907->3908 3908->3867 3909 404ce0 3910 404cf0 3909->3910 3911 404d0c 3909->3911 3920 405b81 GetDlgItemTextW 3910->3920 3913 404d12 SHGetPathFromIDListW 3911->3913 3914 404d3f 3911->3914 3916 404d22 3913->3916 3919 404d29 SendMessageW 3913->3919 3915 404cfd SendMessageW 3915->3911 3918 40140b 2 API calls 3916->3918 3918->3919 3919->3914 3920->3915 3921 401563 3922 402ba4 3921->3922 3925 406484 wsprintfW 3922->3925 3924 402ba9 3925->3924 3926 401968 3927 402d84 17 API calls 3926->3927 3928 40196f 3927->3928 3929 402d84 17 API calls 3928->3929 3930 40197c 3929->3930 3931 402da6 17 API calls 3930->3931 3932 401993 lstrlenW 3931->3932 3933 4019a4 3932->3933 3937 4019e5 3933->3937 3938 40653d lstrcpynW 3933->3938 3935 4019d5 3936 4019da lstrlenW 3935->3936 3935->3937 3936->3937 3938->3935 3939 40166a 3940 402da6 17 API calls 3939->3940 3941 401670 3940->3941 3942 406873 2 API calls 3941->3942 3943 401676 3942->3943 3944 402aeb 3945 402d84 17 API calls 3944->3945 3946 402af1 3945->3946 3947 40657a 17 API calls 3946->3947 3948 40292e 3946->3948 3947->3948 3949 4026ec 3950 402d84 17 API calls 3949->3950 3957 4026fb 3950->3957 3951 402838 3952 402745 ReadFile 3952->3951 3952->3957 3953 4060b0 ReadFile 3953->3957 3954 402785 MultiByteToWideChar 3954->3957 3955 40283a 3971 406484 wsprintfW 3955->3971 3957->3951 3957->3952 3957->3953 3957->3954 3957->3955 3959 4027ab SetFilePointer MultiByteToWideChar 3957->3959 3961 40284b 3957->3961 3962 40610e SetFilePointer 3957->3962 3959->3957 3960 40286c SetFilePointer 3960->3951 3961->3951 3961->3960 3963 40612a 3962->3963 3966 406142 3962->3966 3964 4060b0 ReadFile 3963->3964 3965 406136 3964->3965 3965->3966 3967 406173 SetFilePointer 3965->3967 3968 40614b SetFilePointer 3965->3968 3966->3957 3967->3966 3968->3967 3969 406156 3968->3969 3970 4060df WriteFile 3969->3970 3970->3966 3971->3951 3519 40176f 3520 402da6 17 API calls 3519->3520 3521 401776 3520->3521 3522 401796 3521->3522 3523 40179e 3521->3523 3558 40653d lstrcpynW 3522->3558 3559 40653d lstrcpynW 3523->3559 3526 40179c 3530 4067c4 5 API calls 3526->3530 3527 4017a9 3528 405e0c 3 API calls 3527->3528 3529 4017af lstrcatW 3528->3529 3529->3526 3547 4017bb 3530->3547 3531 406873 2 API calls 3531->3547 3532 406008 2 API calls 3532->3547 3534 4017cd CompareFileTime 3534->3547 3535 40188d 3537 40559f 24 API calls 3535->3537 3536 401864 3538 40559f 24 API calls 3536->3538 3542 401879 3536->3542 3540 401897 3537->3540 3538->3542 3539 40653d lstrcpynW 3539->3547 3541 4032b4 31 API calls 3540->3541 3543 4018aa 3541->3543 3544 4018be SetFileTime 3543->3544 3545 4018d0 CloseHandle 3543->3545 3544->3545 3545->3542 3548 4018e1 3545->3548 3546 40657a 17 API calls 3546->3547 3547->3531 3547->3532 3547->3534 3547->3535 3547->3536 3547->3539 3547->3546 3553 405b9d MessageBoxIndirectW 3547->3553 3557 40602d GetFileAttributesW CreateFileW 3547->3557 3549 4018e6 3548->3549 3550 4018f9 3548->3550 3551 40657a 17 API calls 3549->3551 3552 40657a 17 API calls 3550->3552 3554 4018ee lstrcatW 3551->3554 3555 401901 3552->3555 3553->3547 3554->3555 3556 405b9d MessageBoxIndirectW 3555->3556 3556->3542 3557->3547 3558->3526 3559->3527 3972 401a72 3973 402d84 17 API calls 3972->3973 3974 401a7b 3973->3974 3975 402d84 17 API calls 3974->3975 3976 401a20 3975->3976 3977 401573 3978 401583 ShowWindow 3977->3978 3979 40158c 3977->3979 3978->3979 3980 402c2a 3979->3980 3981 40159a ShowWindow 3979->3981 3981->3980 3982 4023f4 3983 402da6 17 API calls 3982->3983 3984 402403 3983->3984 3985 402da6 17 API calls 3984->3985 3986 40240c 3985->3986 3987 402da6 17 API calls 3986->3987 3988 402416 GetPrivateProfileStringW 3987->3988 3989 4014f5 SetForegroundWindow 3990 402c2a 3989->3990 3991 401ff6 3992 402da6 17 API calls 3991->3992 3993 401ffd 3992->3993 3994 406873 2 API calls 3993->3994 3995 402003 3994->3995 3997 402014 3995->3997 3998 406484 wsprintfW 3995->3998 3998->3997 3999 401b77 4000 402da6 17 API calls 3999->4000 4001 401b7e 4000->4001 4002 402d84 17 API calls 4001->4002 4003 401b87 wsprintfW 4002->4003 4004 402c2a 4003->4004 4005 40167b 4006 402da6 17 API calls 4005->4006 4007 401682 4006->4007 4008 402da6 17 API calls 4007->4008 4009 40168b 4008->4009 4010 402da6 17 API calls 4009->4010 4011 401694 MoveFileW 4010->4011 4012 4016a7 4011->4012 4018 4016a0 4011->4018 4014 406873 2 API calls 4012->4014 4016 4022f6 4012->4016 4013 401423 24 API calls 4013->4016 4015 4016b6 4014->4015 4015->4016 4017 4062fd 36 API calls 4015->4017 4017->4018 4018->4013 4019 4019ff 4020 402da6 17 API calls 4019->4020 4021 401a06 4020->4021 4022 402da6 17 API calls 4021->4022 4023 401a0f 4022->4023 4024 401a16 lstrcmpiW 4023->4024 4025 401a28 lstrcmpW 4023->4025 4026 401a1c 4024->4026 4025->4026 4027 4022ff 4028 402da6 17 API calls 4027->4028 4029 402305 4028->4029 4030 402da6 17 API calls 4029->4030 4031 40230e 4030->4031 4032 402da6 17 API calls 4031->4032 4033 402317 4032->4033 4034 406873 2 API calls 4033->4034 4035 402320 4034->4035 4036 402331 lstrlenW lstrlenW 4035->4036 4040 402324 4035->4040 4038 40559f 24 API calls 4036->4038 4037 40559f 24 API calls 4041 40232c 4037->4041 4039 40236f SHFileOperationW 4038->4039 4039->4040 4039->4041 4040->4037 4040->4041 4042 401000 4043 401037 BeginPaint GetClientRect 4042->4043 4044 40100c DefWindowProcW 4042->4044 4046 4010f3 4043->4046 4049 401179 4044->4049 4047 401073 CreateBrushIndirect FillRect DeleteObject 4046->4047 4048 4010fc 4046->4048 4047->4046 4050 401102 CreateFontIndirectW 4048->4050 4051 401167 EndPaint 4048->4051 4050->4051 4052 401112 6 API calls 4050->4052 4051->4049 4052->4051 4053 401d81 4054 401d94 GetDlgItem 4053->4054 4055 401d87 4053->4055 4057 401d8e 4054->4057 4056 402d84 17 API calls 4055->4056 4056->4057 4059 402da6 17 API calls 4057->4059 4061 401dd5 GetClientRect LoadImageW SendMessageW 4057->4061 4059->4061 4060 401e33 4062 401e38 DeleteObject 4060->4062 4063 401e3f 4060->4063 4061->4060 4061->4063 4062->4063 4064 401503 4065 40150b 4064->4065 4067 40151e 4064->4067 4066 402d84 17 API calls 4065->4066 4066->4067 4068 402383 4069 40238a 4068->4069 4072 40239d 4068->4072 4070 40657a 17 API calls 4069->4070 4071 402397 4070->4071 4073 405b9d MessageBoxIndirectW 4071->4073 4073->4072 4074 402c05 SendMessageW 4075 402c2a 4074->4075 4076 402c1f InvalidateRect 4074->4076 4076->4075 4077 404f06 GetDlgItem GetDlgItem 4078 404f58 7 API calls 4077->4078 4084 40517d 4077->4084 4079 404ff2 SendMessageW 4078->4079 4080 404fff DeleteObject 4078->4080 4079->4080 4081 405008 4080->4081 4082 40503f 4081->4082 4085 40657a 17 API calls 4081->4085 4086 404499 18 API calls 4082->4086 4083 40525f 4087 40530b 4083->4087 4097 4052b8 SendMessageW 4083->4097 4117 405170 4083->4117 4084->4083 4088 4051ec 4084->4088 4131 404e54 SendMessageW 4084->4131 4091 405021 SendMessageW SendMessageW 4085->4091 4092 405053 4086->4092 4089 405315 SendMessageW 4087->4089 4090 40531d 4087->4090 4088->4083 4093 405251 SendMessageW 4088->4093 4089->4090 4099 405336 4090->4099 4100 40532f ImageList_Destroy 4090->4100 4115 405346 4090->4115 4091->4081 4096 404499 18 API calls 4092->4096 4093->4083 4094 404500 8 API calls 4098 40550c 4094->4098 4110 405064 4096->4110 4102 4052cd SendMessageW 4097->4102 4097->4117 4103 40533f GlobalFree 4099->4103 4099->4115 4100->4099 4101 4054c0 4106 4054d2 ShowWindow GetDlgItem ShowWindow 4101->4106 4101->4117 4105 4052e0 4102->4105 4103->4115 4104 40513f GetWindowLongW SetWindowLongW 4107 405158 4104->4107 4116 4052f1 SendMessageW 4105->4116 4106->4117 4108 405175 4107->4108 4109 40515d ShowWindow 4107->4109 4130 4044ce SendMessageW 4108->4130 4129 4044ce SendMessageW 4109->4129 4110->4104 4111 40513a 4110->4111 4114 4050b7 SendMessageW 4110->4114 4118 4050f5 SendMessageW 4110->4118 4119 405109 SendMessageW 4110->4119 4111->4104 4111->4107 4114->4110 4115->4101 4122 405381 4115->4122 4136 404ed4 4115->4136 4116->4087 4117->4094 4118->4110 4119->4110 4121 40548b 4123 405496 InvalidateRect 4121->4123 4126 4054a2 4121->4126 4124 4053af SendMessageW 4122->4124 4125 4053c5 4122->4125 4123->4126 4124->4125 4125->4121 4127 405439 SendMessageW SendMessageW 4125->4127 4126->4101 4145 404e0f 4126->4145 4127->4125 4129->4117 4130->4084 4132 404eb3 SendMessageW 4131->4132 4133 404e77 GetMessagePos ScreenToClient SendMessageW 4131->4133 4135 404eab 4132->4135 4134 404eb0 4133->4134 4133->4135 4134->4132 4135->4088 4148 40653d lstrcpynW 4136->4148 4138 404ee7 4149 406484 wsprintfW 4138->4149 4140 404ef1 4141 40140b 2 API calls 4140->4141 4142 404efa 4141->4142 4150 40653d lstrcpynW 4142->4150 4144 404f01 4144->4122 4151 404d46 4145->4151 4147 404e24 4147->4101 4148->4138 4149->4140 4150->4144 4152 404d5f 4151->4152 4153 40657a 17 API calls 4152->4153 4154 404dc3 4153->4154 4155 40657a 17 API calls 4154->4155 4156 404dce 4155->4156 4157 40657a 17 API calls 4156->4157 4158 404de4 lstrlenW wsprintfW SetDlgItemTextW 4157->4158 4158->4147 3173 401389 3175 401390 3173->3175 3174 4013fe 3175->3174 3176 4013cb MulDiv SendMessageW 3175->3176 3176->3175 4159 404609 lstrlenW 4160 404628 4159->4160 4161 40462a WideCharToMultiByte 4159->4161 4160->4161 3177 40248a 3178 402da6 17 API calls 3177->3178 3179 40249c 3178->3179 3180 402da6 17 API calls 3179->3180 3181 4024a6 3180->3181 3194 402e36 3181->3194 3184 40292e 3185 4024de 3187 4024ea 3185->3187 3198 402d84 3185->3198 3186 402da6 17 API calls 3189 4024d4 lstrlenW 3186->3189 3188 402509 RegSetValueExW 3187->3188 3201 4032b4 3187->3201 3192 40251f RegCloseKey 3188->3192 3189->3185 3192->3184 3195 402e51 3194->3195 3221 4063d8 3195->3221 3199 40657a 17 API calls 3198->3199 3200 402d99 3199->3200 3200->3187 3202 4032cd 3201->3202 3203 4032fb 3202->3203 3228 4034e5 SetFilePointer 3202->3228 3225 4034cf 3203->3225 3207 403468 3209 4034aa 3207->3209 3214 40346c 3207->3214 3208 403318 GetTickCount 3215 403452 3208->3215 3220 403367 3208->3220 3211 4034cf ReadFile 3209->3211 3210 4034cf ReadFile 3210->3220 3211->3215 3212 4034cf ReadFile 3212->3214 3213 4060df WriteFile 3213->3214 3214->3212 3214->3213 3214->3215 3215->3188 3216 4033bd GetTickCount 3216->3220 3217 4033e2 MulDiv wsprintfW 3218 40559f 24 API calls 3217->3218 3218->3220 3219 4060df WriteFile 3219->3220 3220->3210 3220->3215 3220->3216 3220->3217 3220->3219 3222 4063e7 3221->3222 3223 4063f2 RegCreateKeyExW 3222->3223 3224 4024b6 3222->3224 3223->3224 3224->3184 3224->3185 3224->3186 3226 4060b0 ReadFile 3225->3226 3227 403306 3226->3227 3227->3207 3227->3208 3227->3215 3228->3203 4162 40498a 4163 4049b6 4162->4163 4164 4049c7 4162->4164 4223 405b81 GetDlgItemTextW 4163->4223 4166 4049d3 GetDlgItem 4164->4166 4171 404a32 4164->4171 4169 4049e7 4166->4169 4167 404b16 4221 404cc5 4167->4221 4225 405b81 GetDlgItemTextW 4167->4225 4168 4049c1 4170 4067c4 5 API calls 4168->4170 4173 4049fb SetWindowTextW 4169->4173 4174 405eb7 4 API calls 4169->4174 4170->4164 4171->4167 4175 40657a 17 API calls 4171->4175 4171->4221 4177 404499 18 API calls 4173->4177 4179 4049f1 4174->4179 4180 404aa6 SHBrowseForFolderW 4175->4180 4176 404b46 4181 405f14 18 API calls 4176->4181 4182 404a17 4177->4182 4178 404500 8 API calls 4183 404cd9 4178->4183 4179->4173 4187 405e0c 3 API calls 4179->4187 4180->4167 4184 404abe CoTaskMemFree 4180->4184 4185 404b4c 4181->4185 4186 404499 18 API calls 4182->4186 4188 405e0c 3 API calls 4184->4188 4226 40653d lstrcpynW 4185->4226 4189 404a25 4186->4189 4187->4173 4190 404acb 4188->4190 4224 4044ce SendMessageW 4189->4224 4193 404b02 SetDlgItemTextW 4190->4193 4198 40657a 17 API calls 4190->4198 4193->4167 4194 404a2b 4196 40690a 5 API calls 4194->4196 4195 404b63 4197 40690a 5 API calls 4195->4197 4196->4171 4205 404b6a 4197->4205 4199 404aea lstrcmpiW 4198->4199 4199->4193 4202 404afb lstrcatW 4199->4202 4200 404bab 4227 40653d lstrcpynW 4200->4227 4202->4193 4203 404bb2 4204 405eb7 4 API calls 4203->4204 4206 404bb8 GetDiskFreeSpaceW 4204->4206 4205->4200 4208 405e58 2 API calls 4205->4208 4210 404c03 4205->4210 4209 404bdc MulDiv 4206->4209 4206->4210 4208->4205 4209->4210 4211 404c74 4210->4211 4213 404e0f 20 API calls 4210->4213 4212 404c97 4211->4212 4214 40140b 2 API calls 4211->4214 4228 4044bb EnableWindow 4212->4228 4215 404c61 4213->4215 4214->4212 4217 404c76 SetDlgItemTextW 4215->4217 4218 404c66 4215->4218 4217->4211 4220 404d46 20 API calls 4218->4220 4219 404cb3 4219->4221 4222 4048e3 SendMessageW 4219->4222 4220->4211 4221->4178 4222->4221 4223->4168 4224->4194 4225->4176 4226->4195 4227->4203 4228->4219 3262 40290b 3263 402da6 17 API calls 3262->3263 3264 402912 FindFirstFileW 3263->3264 3265 40293a 3264->3265 3269 402925 3264->3269 3270 406484 wsprintfW 3265->3270 3267 402943 3271 40653d lstrcpynW 3267->3271 3270->3267 3271->3269 4229 40190c 4230 401943 4229->4230 4231 402da6 17 API calls 4230->4231 4232 401948 4231->4232 4233 405c49 67 API calls 4232->4233 4234 401951 4233->4234 4235 40190f 4236 402da6 17 API calls 4235->4236 4237 401916 4236->4237 4238 405b9d MessageBoxIndirectW 4237->4238 4239 40191f 4238->4239 3560 402891 3561 402898 3560->3561 3563 402ba9 3560->3563 3562 402d84 17 API calls 3561->3562 3564 40289f 3562->3564 3565 4028ae SetFilePointer 3564->3565 3565->3563 3566 4028be 3565->3566 3568 406484 wsprintfW 3566->3568 3568->3563 4240 401491 4241 40559f 24 API calls 4240->4241 4242 401498 4241->4242 3569 403b12 3570 403b2a 3569->3570 3571 403b1c CloseHandle 3569->3571 3576 403b57 3570->3576 3571->3570 3574 405c49 67 API calls 3575 403b3b 3574->3575 3578 403b65 3576->3578 3577 403b2f 3577->3574 3578->3577 3579 403b6a FreeLibrary GlobalFree 3578->3579 3579->3577 3579->3579 4243 401f12 4244 402da6 17 API calls 4243->4244 4245 401f18 4244->4245 4246 402da6 17 API calls 4245->4246 4247 401f21 4246->4247 4248 402da6 17 API calls 4247->4248 4249 401f2a 4248->4249 4250 402da6 17 API calls 4249->4250 4251 401f33 4250->4251 4252 401423 24 API calls 4251->4252 4253 401f3a 4252->4253 4260 405b63 ShellExecuteExW 4253->4260 4255 401f82 4256 40292e 4255->4256 4257 4069b5 5 API calls 4255->4257 4258 401f9f CloseHandle 4257->4258 4258->4256 4260->4255 4261 405513 4262 405523 4261->4262 4263 405537 4261->4263 4264 405580 4262->4264 4265 405529 4262->4265 4266 40553f IsWindowVisible 4263->4266 4272 405556 4263->4272 4267 405585 CallWindowProcW 4264->4267 4268 4044e5 SendMessageW 4265->4268 4266->4264 4269 40554c 4266->4269 4270 405533 4267->4270 4268->4270 4271 404e54 5 API calls 4269->4271 4271->4272 4272->4267 4273 404ed4 4 API calls 4272->4273 4273->4264 4274 402f93 4275 402fa5 SetTimer 4274->4275 4276 402fbe 4274->4276 4275->4276 4277 403013 4276->4277 4278 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4276->4278 4278->4277 4279 401d17 4280 402d84 17 API calls 4279->4280 4281 401d1d IsWindow 4280->4281 4282 401a20 4281->4282 4283 403f9a 4284 403fb2 4283->4284 4285 404113 4283->4285 4284->4285 4286 403fbe 4284->4286 4287 404164 4285->4287 4288 404124 GetDlgItem GetDlgItem 4285->4288 4289 403fc9 SetWindowPos 4286->4289 4290 403fdc 4286->4290 4292 4041be 4287->4292 4303 401389 2 API calls 4287->4303 4291 404499 18 API calls 4288->4291 4289->4290 4294 403fe5 ShowWindow 4290->4294 4295 404027 4290->4295 4296 40414e SetClassLongW 4291->4296 4293 4044e5 SendMessageW 4292->4293 4297 40410e 4292->4297 4325 4041d0 4293->4325 4298 4040d1 4294->4298 4299 404005 GetWindowLongW 4294->4299 4300 404046 4295->4300 4301 40402f DestroyWindow 4295->4301 4302 40140b 2 API calls 4296->4302 4304 404500 8 API calls 4298->4304 4299->4298 4305 40401e ShowWindow 4299->4305 4307 40404b SetWindowLongW 4300->4307 4308 40405c 4300->4308 4306 404422 4301->4306 4302->4287 4309 404196 4303->4309 4304->4297 4305->4295 4306->4297 4314 404453 ShowWindow 4306->4314 4307->4297 4308->4298 4313 404068 GetDlgItem 4308->4313 4309->4292 4310 40419a SendMessageW 4309->4310 4310->4297 4311 40140b 2 API calls 4311->4325 4312 404424 DestroyWindow EndDialog 4312->4306 4315 404096 4313->4315 4316 404079 SendMessageW IsWindowEnabled 4313->4316 4314->4297 4318 4040a3 4315->4318 4319 4040ea SendMessageW 4315->4319 4320 4040b6 4315->4320 4328 40409b 4315->4328 4316->4297 4316->4315 4317 40657a 17 API calls 4317->4325 4318->4319 4318->4328 4319->4298 4323 4040d3 4320->4323 4324 4040be 4320->4324 4321 404472 SendMessageW 4321->4298 4322 404499 18 API calls 4322->4325 4327 40140b 2 API calls 4323->4327 4326 40140b 2 API calls 4324->4326 4325->4297 4325->4311 4325->4312 4325->4317 4325->4322 4329 404499 18 API calls 4325->4329 4345 404364 DestroyWindow 4325->4345 4326->4328 4327->4328 4328->4298 4328->4321 4330 40424b GetDlgItem 4329->4330 4331 404260 4330->4331 4332 404268 ShowWindow EnableWindow 4330->4332 4331->4332 4354 4044bb EnableWindow 4332->4354 4334 404292 EnableWindow 4339 4042a6 4334->4339 4335 4042ab GetSystemMenu EnableMenuItem SendMessageW 4336 4042db SendMessageW 4335->4336 4335->4339 4336->4339 4338 403f7b 18 API calls 4338->4339 4339->4335 4339->4338 4355 4044ce SendMessageW 4339->4355 4356 40653d lstrcpynW 4339->4356 4341 40430a lstrlenW 4342 40657a 17 API calls 4341->4342 4343 404320 SetWindowTextW 4342->4343 4344 401389 2 API calls 4343->4344 4344->4325 4345->4306 4346 40437e CreateDialogParamW 4345->4346 4346->4306 4347 4043b1 4346->4347 4348 404499 18 API calls 4347->4348 4349 4043bc GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4348->4349 4350 401389 2 API calls 4349->4350 4351 404402 4350->4351 4351->4297 4352 40440a ShowWindow 4351->4352 4353 4044e5 SendMessageW 4352->4353 4353->4306 4354->4334 4355->4339 4356->4341 3641 401b9b 3642 401ba8 3641->3642 3643 401bec 3641->3643 3646 401c31 3642->3646 3651 401bbf 3642->3651 3644 401bf1 3643->3644 3645 401c16 GlobalAlloc 3643->3645 3659 40239d 3644->3659 3662 40653d lstrcpynW 3644->3662 3648 40657a 17 API calls 3645->3648 3647 40657a 17 API calls 3646->3647 3646->3659 3649 402397 3647->3649 3648->3646 3655 405b9d MessageBoxIndirectW 3649->3655 3660 40653d lstrcpynW 3651->3660 3653 401c03 GlobalFree 3653->3659 3654 401bce 3661 40653d lstrcpynW 3654->3661 3655->3659 3657 401bdd 3663 40653d lstrcpynW 3657->3663 3660->3654 3661->3657 3662->3653 3663->3659 4357 40261c 4358 402da6 17 API calls 4357->4358 4359 402623 4358->4359 4362 40602d GetFileAttributesW CreateFileW 4359->4362 4361 40262f 4362->4361 3677 40259e 3678 402de6 17 API calls 3677->3678 3679 4025a8 3678->3679 3680 402d84 17 API calls 3679->3680 3681 4025b1 3680->3681 3682 4025d9 RegEnumValueW 3681->3682 3683 4025cd RegEnumKeyW 3681->3683 3685 40292e 3681->3685 3684 4025ee RegCloseKey 3682->3684 3683->3684 3684->3685 4363 40149e 4364 4014ac PostQuitMessage 4363->4364 4365 40239d 4363->4365 4364->4365 4366 4015a3 4367 402da6 17 API calls 4366->4367 4368 4015aa SetFileAttributesW 4367->4368 4369 4015bc 4368->4369 3145 401fa4 3146 402da6 17 API calls 3145->3146 3147 401faa 3146->3147 3148 40559f 24 API calls 3147->3148 3149 401fb4 3148->3149 3160 405b20 CreateProcessW 3149->3160 3154 40292e 3155 401fcf 3156 401fd4 3155->3156 3157 401fdf 3155->3157 3168 406484 wsprintfW 3156->3168 3159 401fdd CloseHandle 3157->3159 3159->3154 3161 405b53 CloseHandle 3160->3161 3162 401fba 3160->3162 3161->3162 3162->3154 3162->3159 3163 4069b5 WaitForSingleObject 3162->3163 3164 4069cf 3163->3164 3165 4069e1 GetExitCodeProcess 3164->3165 3169 406946 3164->3169 3165->3155 3168->3159 3170 406963 PeekMessageW 3169->3170 3171 406973 WaitForSingleObject 3170->3171 3172 406959 DispatchMessageW 3170->3172 3171->3164 3172->3170 3229 40252a 3240 402de6 3229->3240 3232 402da6 17 API calls 3233 40253d 3232->3233 3234 402548 RegQueryValueExW 3233->3234 3239 40292e 3233->3239 3235 40256e RegCloseKey 3234->3235 3236 402568 3234->3236 3235->3239 3236->3235 3245 406484 wsprintfW 3236->3245 3241 402da6 17 API calls 3240->3241 3242 402dfd 3241->3242 3243 4063aa RegOpenKeyExW 3242->3243 3244 402534 3243->3244 3244->3232 3245->3235 3246 4021aa 3247 402da6 17 API calls 3246->3247 3248 4021b1 3247->3248 3249 402da6 17 API calls 3248->3249 3250 4021bb 3249->3250 3251 402da6 17 API calls 3250->3251 3252 4021c5 3251->3252 3253 402da6 17 API calls 3252->3253 3254 4021cf 3253->3254 3255 402da6 17 API calls 3254->3255 3256 4021d9 3255->3256 3257 402218 CoCreateInstance 3256->3257 3258 402da6 17 API calls 3256->3258 3261 402237 3257->3261 3258->3257 3259 401423 24 API calls 3260 4022f6 3259->3260 3261->3259 3261->3260 4370 40202a 4371 402da6 17 API calls 4370->4371 4372 402031 4371->4372 4373 40690a 5 API calls 4372->4373 4374 402040 4373->4374 4375 40205c GlobalAlloc 4374->4375 4378 4020cc 4374->4378 4376 402070 4375->4376 4375->4378 4377 40690a 5 API calls 4376->4377 4379 402077 4377->4379 4380 40690a 5 API calls 4379->4380 4381 402081 4380->4381 4381->4378 4385 406484 wsprintfW 4381->4385 4383 4020ba 4386 406484 wsprintfW 4383->4386 4385->4383 4386->4378 4387 403baa 4388 403bb5 4387->4388 4389 403bbc GlobalAlloc 4388->4389 4390 403bb9 4388->4390 4389->4390 3272 40352d SetErrorMode GetVersionExW 3273 4035b7 3272->3273 3274 40357f GetVersionExW 3272->3274 3275 403610 3273->3275 3276 40690a 5 API calls 3273->3276 3274->3273 3277 40689a 3 API calls 3275->3277 3276->3275 3278 403626 lstrlenA 3277->3278 3278->3275 3279 403636 3278->3279 3280 40690a 5 API calls 3279->3280 3281 40363d 3280->3281 3282 40690a 5 API calls 3281->3282 3283 403644 3282->3283 3284 40690a 5 API calls 3283->3284 3288 403650 #17 OleInitialize SHGetFileInfoW 3284->3288 3287 40369d GetCommandLineW 3363 40653d lstrcpynW 3287->3363 3362 40653d lstrcpynW 3288->3362 3290 4036af 3291 405e39 CharNextW 3290->3291 3292 4036d5 CharNextW 3291->3292 3304 4036e6 3292->3304 3293 4037e4 3294 4037f8 GetTempPathW 3293->3294 3364 4034fc 3294->3364 3296 403810 3298 403814 GetWindowsDirectoryW lstrcatW 3296->3298 3299 40386a DeleteFileW 3296->3299 3297 405e39 CharNextW 3297->3304 3300 4034fc 12 API calls 3298->3300 3374 40307d GetTickCount GetModuleFileNameW 3299->3374 3302 403830 3300->3302 3302->3299 3305 403834 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 3302->3305 3303 40387d 3307 403a59 ExitProcess CoUninitialize 3303->3307 3309 403932 3303->3309 3317 405e39 CharNextW 3303->3317 3304->3293 3304->3297 3306 4037e6 3304->3306 3308 4034fc 12 API calls 3305->3308 3459 40653d lstrcpynW 3306->3459 3311 403a69 3307->3311 3312 403a7e 3307->3312 3316 403862 3308->3316 3402 403bec 3309->3402 3464 405b9d 3311->3464 3314 403a86 GetCurrentProcess OpenProcessToken 3312->3314 3315 403afc ExitProcess 3312->3315 3320 403acc 3314->3320 3321 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 3314->3321 3316->3299 3316->3307 3331 40389f 3317->3331 3324 40690a 5 API calls 3320->3324 3321->3320 3322 403941 3322->3307 3327 403ad3 3324->3327 3325 403908 3328 405f14 18 API calls 3325->3328 3326 403949 3330 405b08 5 API calls 3326->3330 3329 403ae8 ExitWindowsEx 3327->3329 3333 403af5 3327->3333 3332 403914 3328->3332 3329->3315 3329->3333 3334 40394e lstrcatW 3330->3334 3331->3325 3331->3326 3332->3307 3460 40653d lstrcpynW 3332->3460 3468 40140b 3333->3468 3335 40396a lstrcatW lstrcmpiW 3334->3335 3336 40395f lstrcatW 3334->3336 3335->3322 3338 40398a 3335->3338 3336->3335 3340 403996 3338->3340 3341 40398f 3338->3341 3344 405aeb 2 API calls 3340->3344 3343 405a6e 4 API calls 3341->3343 3342 403927 3461 40653d lstrcpynW 3342->3461 3346 403994 3343->3346 3347 40399b SetCurrentDirectoryW 3344->3347 3346->3347 3348 4039b8 3347->3348 3349 4039ad 3347->3349 3463 40653d lstrcpynW 3348->3463 3462 40653d lstrcpynW 3349->3462 3352 40657a 17 API calls 3353 4039fa DeleteFileW 3352->3353 3354 403a06 CopyFileW 3353->3354 3359 4039c5 3353->3359 3354->3359 3355 403a50 3357 4062fd 36 API calls 3355->3357 3356 4062fd 36 API calls 3356->3359 3357->3322 3358 40657a 17 API calls 3358->3359 3359->3352 3359->3355 3359->3356 3359->3358 3360 405b20 2 API calls 3359->3360 3361 403a3a CloseHandle 3359->3361 3360->3359 3361->3359 3362->3287 3363->3290 3365 4067c4 5 API calls 3364->3365 3367 403508 3365->3367 3366 403512 3366->3296 3367->3366 3368 405e0c 3 API calls 3367->3368 3369 40351a 3368->3369 3370 405aeb 2 API calls 3369->3370 3371 403520 3370->3371 3471 40605c 3371->3471 3475 40602d GetFileAttributesW CreateFileW 3374->3475 3376 4030bd 3394 4030cd 3376->3394 3476 40653d lstrcpynW 3376->3476 3378 4030e3 3379 405e58 2 API calls 3378->3379 3380 4030e9 3379->3380 3477 40653d lstrcpynW 3380->3477 3382 4030f4 GetFileSize 3383 4031ee 3382->3383 3401 40310b 3382->3401 3478 403019 3383->3478 3385 4031f7 3387 403227 GlobalAlloc 3385->3387 3385->3394 3490 4034e5 SetFilePointer 3385->3490 3386 4034cf ReadFile 3386->3401 3489 4034e5 SetFilePointer 3387->3489 3389 40325a 3391 403019 6 API calls 3389->3391 3391->3394 3392 403210 3395 4034cf ReadFile 3392->3395 3393 403242 3396 4032b4 31 API calls 3393->3396 3394->3303 3397 40321b 3395->3397 3399 40324e 3396->3399 3397->3387 3397->3394 3398 403019 6 API calls 3398->3401 3399->3394 3399->3399 3400 40328b SetFilePointer 3399->3400 3400->3394 3401->3383 3401->3386 3401->3389 3401->3394 3401->3398 3403 40690a 5 API calls 3402->3403 3404 403c00 3403->3404 3405 403c06 3404->3405 3406 403c18 3404->3406 3499 406484 wsprintfW 3405->3499 3407 40640b 3 API calls 3406->3407 3408 403c48 3407->3408 3409 403c67 lstrcatW 3408->3409 3411 40640b 3 API calls 3408->3411 3412 403c16 3409->3412 3411->3409 3491 403ec2 3412->3491 3415 405f14 18 API calls 3416 403c99 3415->3416 3417 403d2d 3416->3417 3419 40640b 3 API calls 3416->3419 3418 405f14 18 API calls 3417->3418 3420 403d33 3418->3420 3422 403ccb 3419->3422 3421 403d43 LoadImageW 3420->3421 3423 40657a 17 API calls 3420->3423 3424 403de9 3421->3424 3425 403d6a RegisterClassW 3421->3425 3422->3417 3426 403cec lstrlenW 3422->3426 3430 405e39 CharNextW 3422->3430 3423->3421 3429 40140b 2 API calls 3424->3429 3427 403da0 SystemParametersInfoW CreateWindowExW 3425->3427 3428 403df3 3425->3428 3431 403d20 3426->3431 3432 403cfa lstrcmpiW 3426->3432 3427->3424 3428->3322 3433 403def 3429->3433 3434 403ce9 3430->3434 3436 405e0c 3 API calls 3431->3436 3432->3431 3435 403d0a GetFileAttributesW 3432->3435 3433->3428 3438 403ec2 18 API calls 3433->3438 3434->3426 3437 403d16 3435->3437 3439 403d26 3436->3439 3437->3431 3440 405e58 2 API calls 3437->3440 3441 403e00 3438->3441 3500 40653d lstrcpynW 3439->3500 3440->3431 3443 403e0c ShowWindow 3441->3443 3444 403e8f 3441->3444 3446 40689a 3 API calls 3443->3446 3501 405672 OleInitialize 3444->3501 3448 403e24 3446->3448 3447 403e95 3449 403eb1 3447->3449 3450 403e99 3447->3450 3451 403e32 GetClassInfoW 3448->3451 3453 40689a 3 API calls 3448->3453 3452 40140b 2 API calls 3449->3452 3450->3428 3457 40140b 2 API calls 3450->3457 3454 403e46 GetClassInfoW RegisterClassW 3451->3454 3455 403e5c DialogBoxParamW 3451->3455 3452->3428 3453->3451 3454->3455 3456 40140b 2 API calls 3455->3456 3458 403e84 3456->3458 3457->3428 3458->3428 3459->3294 3460->3342 3461->3309 3462->3348 3463->3359 3465 405bb2 3464->3465 3466 403a76 ExitProcess 3465->3466 3467 405bc6 MessageBoxIndirectW 3465->3467 3467->3466 3469 401389 2 API calls 3468->3469 3470 401420 3469->3470 3470->3315 3472 406069 GetTickCount GetTempFileNameW 3471->3472 3473 40352b 3472->3473 3474 40609f 3472->3474 3473->3296 3474->3472 3474->3473 3475->3376 3476->3378 3477->3382 3479 403022 3478->3479 3480 40303a 3478->3480 3481 403032 3479->3481 3482 40302b DestroyWindow 3479->3482 3483 403042 3480->3483 3484 40304a GetTickCount 3480->3484 3481->3385 3482->3481 3485 406946 2 API calls 3483->3485 3486 403058 CreateDialogParamW ShowWindow 3484->3486 3487 40307b 3484->3487 3488 403048 3485->3488 3486->3487 3487->3385 3488->3385 3489->3393 3490->3392 3492 403ed6 3491->3492 3508 406484 wsprintfW 3492->3508 3494 403f47 3509 403f7b 3494->3509 3496 403c77 3496->3415 3497 403f4c 3497->3496 3498 40657a 17 API calls 3497->3498 3498->3497 3499->3412 3500->3417 3512 4044e5 3501->3512 3503 4056bc 3504 4044e5 SendMessageW 3503->3504 3506 4056ce OleUninitialize 3504->3506 3505 405695 3505->3503 3515 401389 3505->3515 3506->3447 3508->3494 3510 40657a 17 API calls 3509->3510 3511 403f89 SetWindowTextW 3510->3511 3511->3497 3513 4044fd 3512->3513 3514 4044ee SendMessageW 3512->3514 3513->3505 3514->3513 3517 401390 3515->3517 3516 4013fe 3516->3505 3517->3516 3518 4013cb MulDiv SendMessageW 3517->3518 3518->3517 4391 401a30 4392 402da6 17 API calls 4391->4392 4393 401a39 ExpandEnvironmentStringsW 4392->4393 4394 401a4d 4393->4394 4396 401a60 4393->4396 4395 401a52 lstrcmpW 4394->4395 4394->4396 4395->4396 4402 4023b2 4403 4023ba 4402->4403 4405 4023c0 4402->4405 4404 402da6 17 API calls 4403->4404 4404->4405 4406 402da6 17 API calls 4405->4406 4407 4023ce 4405->4407 4406->4407 4408 4023dc 4407->4408 4409 402da6 17 API calls 4407->4409 4410 402da6 17 API calls 4408->4410 4409->4408 4411 4023e5 WritePrivateProfileStringW 4410->4411 3580 402434 3581 402467 3580->3581 3582 40243c 3580->3582 3583 402da6 17 API calls 3581->3583 3584 402de6 17 API calls 3582->3584 3585 40246e 3583->3585 3586 402443 3584->3586 3591 402e64 3585->3591 3588 40247b 3586->3588 3589 402da6 17 API calls 3586->3589 3590 402454 RegDeleteValueW RegCloseKey 3589->3590 3590->3588 3592 402e71 3591->3592 3593 402e78 3591->3593 3592->3588 3593->3592 3595 402ea9 3593->3595 3596 4063aa RegOpenKeyExW 3595->3596 3597 402ed7 3596->3597 3598 402ee1 3597->3598 3599 402f8c 3597->3599 3600 402ee7 RegEnumValueW 3598->3600 3607 402f0a 3598->3607 3599->3592 3601 402f71 RegCloseKey 3600->3601 3600->3607 3601->3599 3602 402f46 RegEnumKeyW 3603 402f4f RegCloseKey 3602->3603 3602->3607 3604 40690a 5 API calls 3603->3604 3606 402f5f 3604->3606 3605 402ea9 6 API calls 3605->3607 3608 402f81 3606->3608 3609 402f63 RegDeleteKeyW 3606->3609 3607->3601 3607->3602 3607->3603 3607->3605 3608->3599 3609->3599 4412 401735 4413 402da6 17 API calls 4412->4413 4414 40173c SearchPathW 4413->4414 4415 401757 4414->4415 4416 401d38 4417 402d84 17 API calls 4416->4417 4418 401d3f 4417->4418 4419 402d84 17 API calls 4418->4419 4420 401d4b GetDlgItem 4419->4420 4421 402638 4420->4421 4422 4014b8 4423 4014be 4422->4423 4424 401389 2 API calls 4423->4424 4425 4014c6 4424->4425 4426 40263e 4427 402652 4426->4427 4428 40266d 4426->4428 4429 402d84 17 API calls 4427->4429 4430 402672 4428->4430 4431 40269d 4428->4431 4438 402659 4429->4438 4432 402da6 17 API calls 4430->4432 4433 402da6 17 API calls 4431->4433 4435 402679 4432->4435 4434 4026a4 lstrlenW 4433->4434 4434->4438 4443 40655f WideCharToMultiByte 4435->4443 4437 40268d lstrlenA 4437->4438 4439 4026d1 4438->4439 4440 4026e7 4438->4440 4442 40610e 5 API calls 4438->4442 4439->4440 4441 4060df WriteFile 4439->4441 4441->4440 4442->4439 4443->4437

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 0040352D Relevance: 86.2, APIs: 34, Strings: 15, Instructions: 450stringfilecomCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 40352d-40357d SetErrorMode GetVersionExW 1 4035b7-4035be 0->1 2 40357f-4035b3 GetVersionExW 0->2 3 4035c0 1->3 4 4035c8-403608 1->4 2->1 3->4 5 40360a-403612 call 40690a 4->5 6 40361b 4->6 5->6 11 403614 5->11 8 403620-403634 call 40689a lstrlenA 6->8 13 403636-403652 call 40690a * 3 8->13 11->6 20 403663-4036c5 #17 OleInitialize SHGetFileInfoW call 40653d GetCommandLineW call 40653d 13->20 21 403654-40365a 13->21 28 4036c7-4036c9 20->28 29 4036ce-4036e1 call 405e39 CharNextW 20->29 21->20 25 40365c 21->25 25->20 28->29 32 4037d8-4037de 29->32 33 4037e4 32->33 34 4036e6-4036ec 32->34 37 4037f8-403812 GetTempPathW call 4034fc 33->37 35 4036f5-4036fb 34->35 36 4036ee-4036f3 34->36 38 403702-403706 35->38 39 4036fd-403701 35->39 36->35 36->36 47 403814-403832 GetWindowsDirectoryW lstrcatW call 4034fc 37->47 48 40386a-403882 DeleteFileW call 40307d 37->48 41 4037c6-4037d4 call 405e39 38->41 42 40370c-403712 38->42 39->38 41->32 59 4037d6-4037d7 41->59 45 403714-40371b 42->45 46 40372c-403765 42->46 52 403722 45->52 53 40371d-403720 45->53 54 403781-4037bb 46->54 55 403767-40376c 46->55 47->48 62 403834-403864 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034fc 47->62 64 403888-40388e 48->64 65 403a59-403a67 ExitProcess CoUninitialize 48->65 52->46 53->46 53->52 57 4037c3-4037c5 54->57 58 4037bd-4037c1 54->58 55->54 61 40376e-403776 55->61 57->41 58->57 63 4037e6-4037f3 call 40653d 58->63 59->32 66 403778-40377b 61->66 67 40377d 61->67 62->48 62->65 63->37 69 403894-4038a7 call 405e39 64->69 70 403935-40393c call 403bec 64->70 72 403a69-403a78 call 405b9d ExitProcess 65->72 73 403a7e-403a84 65->73 66->54 66->67 67->54 88 4038f9-403906 69->88 89 4038a9-4038de 69->89 84 403941-403944 70->84 75 403a86-403a9b GetCurrentProcess OpenProcessToken 73->75 76 403afc-403b04 73->76 81 403acc-403ada call 40690a 75->81 82 403a9d-403ac6 LookupPrivilegeValueW AdjustTokenPrivileges 75->82 85 403b06 76->85 86 403b09-403b0c ExitProcess 76->86 95 403ae8-403af3 ExitWindowsEx 81->95 96 403adc-403ae6 81->96 82->81 84->65 85->86 90 403908-403916 call 405f14 88->90 91 403949-40395d call 405b08 lstrcatW 88->91 93 4038e0-4038e4 89->93 90->65 106 40391c-403932 call 40653d * 2 90->106 104 40396a-403984 lstrcatW lstrcmpiW 91->104 105 40395f-403965 lstrcatW 91->105 98 4038e6-4038eb 93->98 99 4038ed-4038f5 93->99 95->76 102 403af5-403af7 call 40140b 95->102 96->95 96->102 98->99 100 4038f7 98->100 99->93 99->100 100->88 102->76 109 403a57 104->109 110 40398a-40398d 104->110 105->104 106->70 109->65 112 403996 call 405aeb 110->112 113 40398f-403994 call 405a6e 110->113 119 40399b-4039ab SetCurrentDirectoryW 112->119 113->119 121 4039b8-4039e4 call 40653d 119->121 122 4039ad-4039b3 call 40653d 119->122 126 4039e9-403a04 call 40657a DeleteFileW 121->126 122->121 129 403a44-403a4e 126->129 130 403a06-403a16 CopyFileW 126->130 129->126 132 403a50-403a52 call 4062fd 129->132 130->129 131 403a18-403a38 call 4062fd call 40657a call 405b20 130->131 131->129 140 403a3a-403a41 CloseHandle 131->140 132->109 140->129
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 00403550
                                                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 00403579
                                                                                                                                                                                    • GetVersionExW.KERNEL32(0000011C), ref: 00403590
                                                                                                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
                                                                                                                                                                                    • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0040366A
                                                                                                                                                                                    • SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
                                                                                                                                                                                    • GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
                                                                                                                                                                                    • CharNextW.USER32(00000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S /updateRecovery=true,00000020,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S /updateRecovery=true,00000000), ref: 004036D6
                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000400,00442800,00000000,?), ref: 00403809
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(00442800,000003FB), ref: 0040381A
                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,\Temp), ref: 00403826
                                                                                                                                                                                    • GetTempPathW.KERNEL32(000003FC,00442800,00442800,\Temp), ref: 0040383A
                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,Low), ref: 00403842
                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,00442800,00442800,Low), ref: 00403853
                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,00442800), ref: 0040385B
                                                                                                                                                                                    • DeleteFileW.KERNELBASE(00442000), ref: 0040386F
                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,~nsu,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S /updateRecovery=true,00000000,?), ref: 00403956
                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,0040A26C,00442800,~nsu,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S /updateRecovery=true,00000000,?), ref: 00403965
                                                                                                                                                                                      • Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,00442800,00442800,00442800,00442800,00442800,00403810), ref: 00405AF1
                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,.tmp,00442800,~nsu,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S /updateRecovery=true,00000000,?), ref: 00403970
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(00442800,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,00442800,.tmp,00442800,~nsu,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S /updateRecovery=true,00000000,?), ref: 0040397C
                                                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(00442800,00442800), ref: 0040399C
                                                                                                                                                                                    • DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
                                                                                                                                                                                    • CopyFileW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,0042AA28,00000001), ref: 00403A0E
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
                                                                                                                                                                                    • ExitProcess.KERNEL32(?), ref: 00403A59
                                                                                                                                                                                    • CoUninitialize.COMBASE(?), ref: 00403A5E
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403A78
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
                                                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
                                                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
                                                                                                                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403B0C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Processlstrcat$ExitFile$Directory$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                                                                                                                                    • String ID: .tmp$C:\Program Files\Wildix\WIService$C:\Program Files\Wildix\WIService$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S /updateRecovery=true$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                    • API String ID: 2292928366-4148358065
                                                                                                                                                                                    • Opcode ID: e805ab00ed8521cef9d67492f65783a092b2e0cefe37e968f3c93af94c7db321
                                                                                                                                                                                    • Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
                                                                                                                                                                                    • Opcode Fuzzy Hash: e805ab00ed8521cef9d67492f65783a092b2e0cefe37e968f3c93af94c7db321
                                                                                                                                                                                    • Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D
                                                                                                                                                                                    Function 00405C49 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 282 405c49-405c6f call 405f14 285 405c71-405c83 DeleteFileW 282->285 286 405c88-405c8f 282->286 287 405e05-405e09 285->287 288 405c91-405c93 286->288 289 405ca2-405cb2 call 40653d 286->289 290 405db3-405db8 288->290 291 405c99-405c9c 288->291 297 405cc1-405cc2 call 405e58 289->297 298 405cb4-405cbf lstrcatW 289->298 290->287 293 405dba-405dbd 290->293 291->289 291->290 295 405dc7-405dcf call 406873 293->295 296 405dbf-405dc5 293->296 295->287 306 405dd1-405de5 call 405e0c call 405c01 295->306 296->287 300 405cc7-405ccb 297->300 298->300 302 405cd7-405cdd lstrcatW 300->302 303 405ccd-405cd5 300->303 305 405ce2-405cfe lstrlenW FindFirstFileW 302->305 303->302 303->305 307 405d04-405d0c 305->307 308 405da8-405dac 305->308 322 405de7-405dea 306->322 323 405dfd-405e00 call 40559f 306->323 310 405d2c-405d40 call 40653d 307->310 311 405d0e-405d16 307->311 308->290 313 405dae 308->313 324 405d42-405d4a 310->324 325 405d57-405d62 call 405c01 310->325 314 405d18-405d20 311->314 315 405d8b-405d9b FindNextFileW 311->315 313->290 314->310 318 405d22-405d2a 314->318 315->307 321 405da1-405da2 FindClose 315->321 318->310 318->315 321->308 322->296 328 405dec-405dfb call 40559f call 4062fd 322->328 323->287 324->315 329 405d4c-405d55 call 405c49 324->329 333 405d83-405d86 call 40559f 325->333 334 405d64-405d67 325->334 328->287 329->315 333->315 337 405d69-405d79 call 40559f call 4062fd 334->337 338 405d7b-405d81 334->338 337->315 338->315
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,771B3420,00442800,00000000), ref: 00405C72
                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Windows\TEMP\nstA20.tmp\*.*,\*.*,C:\Windows\TEMP\nstA20.tmp\*.*,?,?,771B3420,00442800,00000000), ref: 00405CBA
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014,?,C:\Windows\TEMP\nstA20.tmp\*.*,?,?,771B3420,00442800,00000000), ref: 00405CDD
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Windows\TEMP\nstA20.tmp\*.*,?,?,771B3420,00442800,00000000), ref: 00405CE3
                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(C:\Windows\TEMP\nstA20.tmp\*.*,?,?,?,0040A014,?,C:\Windows\TEMP\nstA20.tmp\*.*,?,?,771B3420,00442800,00000000), ref: 00405CF3
                                                                                                                                                                                    • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405DA2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                    • String ID: .$.$C:\Windows\TEMP\nstA20.tmp\*.*$\*.*
                                                                                                                                                                                    • API String ID: 2035342205-685965969
                                                                                                                                                                                    • Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                                                                                                                                                                    • Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE
                                                                                                                                                                                    Function 00406873 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(771B3420,004302B8,C:\,00405F5D,C:\,C:\,00000000,C:\,C:\,771B3420,?,00442800,00405C69,?,771B3420,00442800), ref: 0040687E
                                                                                                                                                                                    • FindClose.KERNELBASE(00000000), ref: 0040688A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                    • API String ID: 2295610775-3404278061
                                                                                                                                                                                    • Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                                                                                                                                                                    • Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                                                                                                                                                                    • Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD
                                                                                                                                                                                    Function 0040290B Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(00000000,?,00000002), ref: 0040291A
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindFirst
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1974802433-0
                                                                                                                                                                                    • Opcode ID: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
                                                                                                                                                                                    • Instruction ID: 3f6fbcf0fd4d311cdd608d5f72697756ed96b8559223cd5d9f1c4d92bc61f1b3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 23bc45f7dafbc09bf3d58dfb9668e04a20f74da7ffae18e0ad0b6f577034eb1d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3CF08271A04105EFD701DBA4ED49AAEB378FF14314F60417BE116F21D0E7B88E159B29
                                                                                                                                                                                    Function 00403BEC Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 141 403bec-403c04 call 40690a 144 403c06-403c16 call 406484 141->144 145 403c18-403c4f call 40640b 141->145 153 403c72-403c9b call 403ec2 call 405f14 144->153 149 403c51-403c62 call 40640b 145->149 150 403c67-403c6d lstrcatW 145->150 149->150 150->153 159 403ca1-403ca6 153->159 160 403d2d-403d35 call 405f14 153->160 159->160 161 403cac-403cc6 call 40640b 159->161 165 403d43-403d68 LoadImageW 160->165 166 403d37-403d3e call 40657a 160->166 167 403ccb-403cd4 161->167 169 403de9-403df1 call 40140b 165->169 170 403d6a-403d9a RegisterClassW 165->170 166->165 167->160 171 403cd6-403cda 167->171 184 403df3-403df6 169->184 185 403dfb-403e06 call 403ec2 169->185 174 403da0-403de4 SystemParametersInfoW CreateWindowExW 170->174 175 403eb8 170->175 172 403cec-403cf8 lstrlenW 171->172 173 403cdc-403ce9 call 405e39 171->173 179 403d20-403d28 call 405e0c call 40653d 172->179 180 403cfa-403d08 lstrcmpiW 172->180 173->172 174->169 178 403eba-403ec1 175->178 179->160 180->179 183 403d0a-403d14 GetFileAttributesW 180->183 187 403d16-403d18 183->187 188 403d1a-403d1b call 405e58 183->188 184->178 194 403e0c-403e26 ShowWindow call 40689a 185->194 195 403e8f-403e97 call 405672 185->195 187->179 187->188 188->179 202 403e32-403e44 GetClassInfoW 194->202 203 403e28-403e2d call 40689a 194->203 200 403eb1-403eb3 call 40140b 195->200 201 403e99-403e9f 195->201 200->175 201->184 208 403ea5-403eac call 40140b 201->208 206 403e46-403e56 GetClassInfoW RegisterClassW 202->206 207 403e5c-403e8d DialogBoxParamW call 40140b call 403b3c 202->207 203->202 206->207 207->178 208->184
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                                                                                                                                                                      • Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                                                                                                                                                                    • lstrcatW.KERNEL32(00442000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,771B3420,00442800,?,00000000,?), ref: 00403C6D
                                                                                                                                                                                    • lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Program Files\Wildix\WIService,00442000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,771B3420), ref: 00403CED
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Program Files\Wildix\WIService,00442000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(Call,?,00000000,?), ref: 00403D0B
                                                                                                                                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files\Wildix\WIService), ref: 00403D54
                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                    • RegisterClassW.USER32(00433EA0), ref: 00403D91
                                                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
                                                                                                                                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
                                                                                                                                                                                    • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
                                                                                                                                                                                    • RegisterClassW.USER32(00433EA0), ref: 00403E56
                                                                                                                                                                                    • DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: .DEFAULT\Control Panel\International$.exe$C:\Program Files\Wildix\WIService$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                    • API String ID: 1975747703-3279136279
                                                                                                                                                                                    • Opcode ID: cf3279fe7f0dcda04763d777311536b3ad8b8334462163e510e5c591121a5e62
                                                                                                                                                                                    • Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
                                                                                                                                                                                    • Opcode Fuzzy Hash: cf3279fe7f0dcda04763d777311536b3ad8b8334462163e510e5c591121a5e62
                                                                                                                                                                                    • Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D
                                                                                                                                                                                    Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181memoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 215 40307d-4030cb GetTickCount GetModuleFileNameW call 40602d 218 4030d7-403105 call 40653d call 405e58 call 40653d GetFileSize 215->218 219 4030cd-4030d2 215->219 227 4031f0-4031fe call 403019 218->227 228 40310b 218->228 220 4032ad-4032b1 219->220 234 403200-403203 227->234 235 403253-403258 227->235 230 403110-403127 228->230 232 403129 230->232 233 40312b-403134 call 4034cf 230->233 232->233 241 40325a-403262 call 403019 233->241 242 40313a-403141 233->242 237 403205-40321d call 4034e5 call 4034cf 234->237 238 403227-403251 GlobalAlloc call 4034e5 call 4032b4 234->238 235->220 237->235 261 40321f-403225 237->261 238->235 266 403264-403275 238->266 241->235 246 403143-403157 call 405fe8 242->246 247 4031bd-4031c1 242->247 252 4031cb-4031d1 246->252 264 403159-403160 246->264 251 4031c3-4031ca call 403019 247->251 247->252 251->252 257 4031e0-4031e8 252->257 258 4031d3-4031dd call 4069f7 252->258 257->230 265 4031ee 257->265 258->257 261->235 261->238 264->252 270 403162-403169 264->270 265->227 267 403277 266->267 268 40327d-403282 266->268 267->268 271 403283-403289 268->271 270->252 272 40316b-403172 270->272 271->271 273 40328b-4032a6 SetFilePointer call 405fe8 271->273 272->252 274 403174-40317b 272->274 278 4032ab 273->278 274->252 275 40317d-40319d 274->275 275->235 277 4031a3-4031a7 275->277 279 4031a9-4031ad 277->279 280 4031af-4031b7 277->280 278->220 279->265 279->280 280->252 281 4031b9-4031bb 280->281 281->252
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040308E
                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA
                                                                                                                                                                                      • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                      • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
                                                                                                                                                                                    • API String ID: 2803837635-1313478757
                                                                                                                                                                                    • Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                                                                                                                                                                    • Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
                                                                                                                                                                                    • Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D
                                                                                                                                                                                    Function 0040657A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 346 40657a-406585 347 406587-406596 346->347 348 406598-4065ae 346->348 347->348 349 4065b0-4065bd 348->349 350 4065c6-4065cf 348->350 349->350 351 4065bf-4065c2 349->351 352 4065d5 350->352 353 4067aa-4067b5 350->353 351->350 354 4065da-4065e7 352->354 355 4067c0-4067c1 353->355 356 4067b7-4067bb call 40653d 353->356 354->353 357 4065ed-4065f6 354->357 356->355 359 406788 357->359 360 4065fc-406639 357->360 363 406796-406799 359->363 364 40678a-406794 359->364 361 40672c-406731 360->361 362 40663f-406646 360->362 368 406733-406739 361->368 369 406764-406769 361->369 365 406648-40664a 362->365 366 40664b-40664d 362->366 367 40679b-4067a4 363->367 364->367 365->366 370 40668a-40668d 366->370 371 40664f-40666d call 40640b 366->371 367->353 374 4065d7 367->374 375 406749-406755 call 40653d 368->375 376 40673b-406747 call 406484 368->376 372 406778-406786 lstrlenW 369->372 373 40676b-406773 call 40657a 369->373 380 40669d-4066a0 370->380 381 40668f-40669b GetSystemDirectoryW 370->381 385 406672-406676 371->385 372->367 373->372 374->354 384 40675a-406760 375->384 376->384 387 4066a2-4066b0 GetWindowsDirectoryW 380->387 388 406709-40670b 380->388 386 40670d-406711 381->386 384->372 389 406762 384->389 391 406713-406717 385->391 392 40667c-406685 call 40657a 385->392 386->391 393 406724-40672a call 4067c4 386->393 387->388 388->386 390 4066b2-4066ba 388->390 389->393 397 4066d1-4066e7 SHGetSpecialFolderLocation 390->397 398 4066bc-4066c5 390->398 391->393 394 406719-40671f lstrcatW 391->394 392->386 393->372 394->393 399 406705 397->399 400 4066e9-406703 SHGetPathFromIDListW CoTaskMemFree 397->400 403 4066cd-4066cf 398->403 399->388 400->386 400->399 403->386 403->397
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406695
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,0042C248,?,004055D6,0042C248,00000000,00000000,?,771B23A0), ref: 004066A8
                                                                                                                                                                                    • lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                    • lstrlenW.KERNEL32(Call,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Directory$SystemWindowslstrcatlstrlen
                                                                                                                                                                                    • String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                    • API String ID: 4260037668-1230650788
                                                                                                                                                                                    • Opcode ID: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
                                                                                                                                                                                    • Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D
                                                                                                                                                                                    Function 004032B4 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 404 4032b4-4032cb 405 4032d4-4032dd 404->405 406 4032cd 404->406 407 4032e6-4032eb 405->407 408 4032df 405->408 406->405 409 4032fb-403308 call 4034cf 407->409 410 4032ed-4032f6 call 4034e5 407->410 408->407 414 4034bd 409->414 415 40330e-403312 409->415 410->409 416 4034bf-4034c0 414->416 417 403468-40346a 415->417 418 403318-403361 GetTickCount 415->418 421 4034c8-4034cc 416->421 419 4034aa-4034ad 417->419 420 40346c-40346f 417->420 422 4034c5 418->422 423 403367-40336f 418->423 424 4034b2-4034bb call 4034cf 419->424 425 4034af 419->425 420->422 426 403471 420->426 422->421 427 403371 423->427 428 403374-403382 call 4034cf 423->428 424->414 438 4034c2 424->438 425->424 431 403474-40347a 426->431 427->428 428->414 437 403388-403391 428->437 434 40347c 431->434 435 40347e-40348c call 4034cf 431->435 434->435 435->414 441 40348e-40349a call 4060df 435->441 440 403397-4033b7 call 406a65 437->440 438->422 446 403460-403462 440->446 447 4033bd-4033d0 GetTickCount 440->447 448 403464-403466 441->448 449 40349c-4034a6 441->449 446->416 450 4033d2-4033da 447->450 451 40341b-40341d 447->451 448->416 449->431 452 4034a8 449->452 453 4033e2-403418 MulDiv wsprintfW call 40559f 450->453 454 4033dc-4033e0 450->454 455 403454-403458 451->455 456 40341f-403423 451->456 452->422 453->451 454->451 454->453 455->423 457 40345e 455->457 459 403425-40342c call 4060df 456->459 460 40343a-403445 456->460 457->422 464 403431-403433 459->464 462 403448-40344c 460->462 462->440 465 403452 462->465 464->448 466 403435-403438 464->466 465->422 466->462
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountTick$wsprintf
                                                                                                                                                                                    • String ID: *B$ A$ A$... %d%%$}8@
                                                                                                                                                                                    • API String ID: 551687249-3029848762
                                                                                                                                                                                    • Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                                                                                                                                                                    • Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
                                                                                                                                                                                    • Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                                                                                                                                                                    • Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9
                                                                                                                                                                                    Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 467 40176f-401794 call 402da6 call 405e83 472 401796-40179c call 40653d 467->472 473 40179e-4017b0 call 40653d call 405e0c lstrcatW 467->473 478 4017b5-4017b6 call 4067c4 472->478 473->478 482 4017bb-4017bf 478->482 483 4017c1-4017cb call 406873 482->483 484 4017f2-4017f5 482->484 491 4017dd-4017ef 483->491 492 4017cd-4017db CompareFileTime 483->492 485 4017f7-4017f8 call 406008 484->485 486 4017fd-401819 call 40602d 484->486 485->486 494 40181b-40181e 486->494 495 40188d-4018b6 call 40559f call 4032b4 486->495 491->484 492->491 496 401820-40185e call 40653d * 2 call 40657a call 40653d call 405b9d 494->496 497 40186f-401879 call 40559f 494->497 507 4018b8-4018bc 495->507 508 4018be-4018ca SetFileTime 495->508 496->482 529 401864-401865 496->529 509 401882-401888 497->509 507->508 511 4018d0-4018db CloseHandle 507->511 508->511 512 402c33 509->512 515 4018e1-4018e4 511->515 516 402c2a-402c2d 511->516 517 402c35-402c39 512->517 519 4018e6-4018f7 call 40657a lstrcatW 515->519 520 4018f9-4018fc call 40657a 515->520 516->512 526 401901-4023a2 call 405b9d 519->526 520->526 526->516 526->517 529->509 531 401867-401868 529->531 531->497
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000,00000000,Call,C:\Program Files\Wildix\WIService,?,?,00000031), ref: 004017B0
                                                                                                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Program Files\Wildix\WIService,?,?,00000031), ref: 004017D5
                                                                                                                                                                                      • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,771B23A0), ref: 004055FA
                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService$C:\Windows\TEMP\nstA20.tmp$C:\Windows\TEMP\nstA20.tmp\System.dll$Call
                                                                                                                                                                                    • API String ID: 1941528284-3277743835
                                                                                                                                                                                    • Opcode ID: 4def49e1654eb24e31e7e0ccc8337252fe7285c88cb32d22f2bbeb2144da9b53
                                                                                                                                                                                    • Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4def49e1654eb24e31e7e0ccc8337252fe7285c88cb32d22f2bbeb2144da9b53
                                                                                                                                                                                    • Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D
                                                                                                                                                                                    Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 533 40689a-4068ba GetSystemDirectoryW 534 4068bc 533->534 535 4068be-4068c0 533->535 534->535 536 4068d1-4068d3 535->536 537 4068c2-4068cb 535->537 539 4068d4-406907 wsprintfW LoadLibraryExW 536->539 537->536 538 4068cd-4068cf 537->538 538->539
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                                                                                                                                                                    • wsprintfW.USER32 ref: 004068EC
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                    • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                    • API String ID: 2200240437-1946221925
                                                                                                                                                                                    • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                    • Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                    • Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8
                                                                                                                                                                                    Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 540 402ea9-402ed2 call 4063aa 542 402ed7-402edb 540->542 543 402ee1-402ee5 542->543 544 402f8c-402f90 542->544 545 402ee7-402f08 RegEnumValueW 543->545 546 402f0a-402f1d 543->546 545->546 547 402f71-402f7f RegCloseKey 545->547 548 402f46-402f4d RegEnumKeyW 546->548 547->544 549 402f1f-402f21 548->549 550 402f4f-402f61 RegCloseKey call 40690a 548->550 549->547 551 402f23-402f37 call 402ea9 549->551 556 402f81-402f87 550->556 557 402f63-402f6f RegDeleteKeyW 550->557 551->550 558 402f39-402f45 551->558 556->544 557->544 558->548
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                                                                                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseEnum$DeleteValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1354259210-0
                                                                                                                                                                                    • Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                                                                                                                                                                    • Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
                                                                                                                                                                                    • Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68
                                                                                                                                                                                    Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 559 40248a-4024bb call 402da6 * 2 call 402e36 566 4024c1-4024cb 559->566 567 402c2a-402c39 559->567 569 4024cd-4024da call 402da6 lstrlenW 566->569 570 4024de-4024e1 566->570 569->570 573 4024e3-4024f4 call 402d84 570->573 574 4024f5-4024f8 570->574 573->574 575 402509-40251d RegSetValueExW 574->575 576 4024fa-402504 call 4032b4 574->576 580 402522-402603 RegCloseKey 575->580 581 40251f 575->581 576->575 580->567 584 40292e-402935 580->584 581->580 584->567
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\Windows\TEMP\nstA20.tmp,00000023,00000011,00000002), ref: 004024D5
                                                                                                                                                                                    • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Windows\TEMP\nstA20.tmp,00000000,00000011,00000002), ref: 00402515
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Windows\TEMP\nstA20.tmp,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseValuelstrlen
                                                                                                                                                                                    • String ID: C:\Windows\TEMP\nstA20.tmp
                                                                                                                                                                                    • API String ID: 2655323295-4195019874
                                                                                                                                                                                    • Opcode ID: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
                                                                                                                                                                                    • Instruction ID: a32c4fc66ba480c3aafb49ec1434dbeb720bd0d2787204a1d049ba7b64bbfaa1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B118E71E00119BEEF10AFA5DE49EAEBAB8FF44358F15443AF504F61C1D7B88D40AA58
                                                                                                                                                                                    Function 00405A6E Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 585 405a6e-405ab9 CreateDirectoryW 586 405abb-405abd 585->586 587 405abf-405acc GetLastError 585->587 588 405ae6-405ae8 586->588 587->588 589 405ace-405ae2 SetFileSecurityW 587->589 589->586 590 405ae4 GetLastError 589->590 590->588
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,?,00442800), ref: 00405AB1
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AC5
                                                                                                                                                                                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AE4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3449924974-0
                                                                                                                                                                                    • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                    • Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9
                                                                                                                                                                                    Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 591 4015c1-4015d5 call 402da6 call 405eb7 596 401631-401634 591->596 597 4015d7-4015ea call 405e39 591->597 599 401663-4022f6 call 401423 596->599 600 401636-401655 call 401423 call 40653d SetCurrentDirectoryW 596->600 605 401604-401607 call 405aeb 597->605 606 4015ec-4015ef 597->606 612 402c2a-402c39 599->612 600->612 618 40165b-40165e 600->618 615 40160c-40160e 605->615 606->605 609 4015f1-4015f8 call 405b08 606->609 609->605 624 4015fa-4015fd call 405a6e 609->624 619 401610-401615 615->619 620 401627-40162f 615->620 618->612 621 401624 619->621 622 401617-401622 GetFileAttributesW 619->622 620->596 620->597 621->620 622->620 622->621 626 401602 624->626 626->615
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,771B3420,?,00442800,00405C69,?,771B3420,00442800,00000000), ref: 00405EC5
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                      • Part of subcall function 00405A6E: CreateDirectoryW.KERNELBASE(?,?,00442800), ref: 00405AB1
                                                                                                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,C:\Program Files\Wildix\WIService,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Program Files\Wildix\WIService, xrefs: 00401640
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService
                                                                                                                                                                                    • API String ID: 1892508949-2436880260
                                                                                                                                                                                    • Opcode ID: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
                                                                                                                                                                                    • Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
                                                                                                                                                                                    • Opcode Fuzzy Hash: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E
                                                                                                                                                                                    Function 00405F14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 627 405f14-405f2f call 40653d call 405eb7 632 405f31-405f33 627->632 633 405f35-405f42 call 4067c4 627->633 634 405f8d-405f8f 632->634 637 405f52-405f56 633->637 638 405f44-405f4a 633->638 639 405f6c-405f75 lstrlenW 637->639 638->632 640 405f4c-405f50 638->640 641 405f77-405f8b call 405e0c GetFileAttributesW 639->641 642 405f58-405f5f call 406873 639->642 640->632 640->637 641->634 647 405f61-405f64 642->647 648 405f66-405f67 call 405e58 642->648 647->632 647->648 648->639
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,771B3420,?,00442800,00405C69,?,771B3420,00442800,00000000), ref: 00405EC5
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,771B3420,?,00442800,00405C69,?,771B3420,00442800,00000000), ref: 00405F6D
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,771B3420,?,00442800,00405C69,?,771B3420,00442800), ref: 00405F7D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                    • API String ID: 3248276644-3404278061
                                                                                                                                                                                    • Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                                                                                                                                                                    • Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
                                                                                                                                                                                    • Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                                                                                                                                                                    • Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE
                                                                                                                                                                                    Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 650 40640b-40643d call 4063aa 653 40647b 650->653 654 40643f-40646d RegQueryValueExW RegCloseKey 650->654 656 40647f-406481 653->656 654->653 655 40646f-406473 654->655 655->656 657 406475-406479 655->657 657->653 657->656
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000000,0042C248,00000000,?,?,Call,?,?,00406672,80000002), ref: 00406451
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,0042C248), ref: 0040645C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                    • String ID: Call
                                                                                                                                                                                    • API String ID: 3356406503-1824292864
                                                                                                                                                                                    • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                                                                                                                    • Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                                                                                                                    • Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8
                                                                                                                                                                                    Function 0040605C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 658 40605c-406068 659 406069-40609d GetTickCount GetTempFileNameW 658->659 660 4060ac-4060ae 659->660 661 40609f-4060a1 659->661 663 4060a6-4060a9 660->663 661->659 662 4060a3 661->662 662->663
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040607A
                                                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,00442000,00442800,00442800,00442800,00442800,00442800,00442800,00403810), ref: 00406095
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountFileNameTempTick
                                                                                                                                                                                    • String ID: nsa
                                                                                                                                                                                    • API String ID: 1716503409-2209301699
                                                                                                                                                                                    • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                    • Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                    • Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768
                                                                                                                                                                                    Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,771B23A0), ref: 004055FA
                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 334405425-0
                                                                                                                                                                                    • Opcode ID: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
                                                                                                                                                                                    • Instruction ID: d1cf9917c249e547a3b1759614bc69e8b445b1996c4dbd71fd6f6dd46acd7470
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A21C231904104FACF11AFA5CE48A9D7A71BF48358F20413BF605B91E1DBBD8A82965D
                                                                                                                                                                                    Function 00401B9B Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00401C0B
                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C1D
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocFreelstrcatlstrlen
                                                                                                                                                                                    • String ID: Call
                                                                                                                                                                                    • API String ID: 3292104215-1824292864
                                                                                                                                                                                    • Opcode ID: f7499587b74b1f9cb3fce9f730428132cfcdd1475af0708a05741156e8f6fa82
                                                                                                                                                                                    • Instruction ID: 7c0f58a685d1fc6dd3685da305ee1819882fb4420ac17dc2787245939102450a
                                                                                                                                                                                    • Opcode Fuzzy Hash: f7499587b74b1f9cb3fce9f730428132cfcdd1475af0708a05741156e8f6fa82
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1B21D872904210EBDB20AFA8EE84A5E73B4EB04715755063BF552F72D0D7B8AC414B9D
                                                                                                                                                                                    Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
                                                                                                                                                                                    • RegEnumValueW.KERNELBASE(00000000,00000000,?,?), ref: 004025E4
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Windows\TEMP\nstA20.tmp,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Enum$CloseValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 397863658-0
                                                                                                                                                                                    • Opcode ID: 2ceb002e910c094db02aea1c2c62d66cc74a7b046aa56edd155f21af9fce9564
                                                                                                                                                                                    • Instruction ID: 08080f496e1fbaad801da7c4a2f11cdf7a22a5a493a276a89d416976773fa01e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ceb002e910c094db02aea1c2c62d66cc74a7b046aa56edd155f21af9fce9564
                                                                                                                                                                                    • Instruction Fuzzy Hash: 89017CB1A04105ABEB159F94DE58AAEB66CEF40348F10403AF501B61C0EBB85E44966D
                                                                                                                                                                                    Function 00405C01 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406008: GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                                                                                                                                                                      • Part of subcall function 00406008: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                                                                                                                                                                                    • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C1C
                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C24
                                                                                                                                                                                    • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405C3C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1655745494-0
                                                                                                                                                                                    • Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                                                                                                                                                                    • Instruction ID: 0274c5225d47ddc366315f3a2fda4b694ad97aa72442a0e2fcdbaf00fd257d87
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                                                                                                                                                                    • Instruction Fuzzy Hash: F4E0E53110CF9156E61457309E08F5F2AD8EF86715F05493EF892B10C0CBB848068E6A
                                                                                                                                                                                    Function 004069B5 Relevance: 4.5, APIs: 3, Instructions: 27synchronizationCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                                                                                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 004069DB
                                                                                                                                                                                    • GetExitCodeProcess.KERNELBASE(?,?), ref: 004069E8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ObjectSingleWait$CodeExitProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2567322000-0
                                                                                                                                                                                    • Opcode ID: 5001a44abd0e5b0949431453b9a2c42ce6d4f473903e6ae1ef305ee8f225f71a
                                                                                                                                                                                    • Instruction ID: f5f2e02d25af80b97bb350a16654da7f97250589dc800b1049f4071f8343982b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5001a44abd0e5b0949431453b9a2c42ce6d4f473903e6ae1ef305ee8f225f71a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0CE0D8B1A00118FBDB109F54DE05E9E7B6EDF44750F110033FA01B6590D7B19E25DB94
                                                                                                                                                                                    Function 004021AA Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CoCreateInstance.OLE32(004085F0,?,00000001,004085E0,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402229
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Program Files\Wildix\WIService, xrefs: 00402269
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateInstance
                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService
                                                                                                                                                                                    • API String ID: 542301482-2436880260
                                                                                                                                                                                    • Opcode ID: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
                                                                                                                                                                                    • Instruction ID: 5977cb51530078b600b156af0050786de557c4b464dd586e6a5beaa7a0440451
                                                                                                                                                                                    • Opcode Fuzzy Hash: f0c7f0c58da5b2556a219b4126ec8a5e6c03aa9de5f34d462473648d541e39b0
                                                                                                                                                                                    • Instruction Fuzzy Hash: A7411571A00208EFCF40DFE4C989E9D7BB5BF49348B20456AF905EB2D1DB799981CB94
                                                                                                                                                                                    Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Windows\TEMP\nstA20.tmp,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3356406503-0
                                                                                                                                                                                    • Opcode ID: dd1b1b3d94faa584660aa564dd852358c6c0cbefcfc3417a0db06bb84b323ca4
                                                                                                                                                                                    • Instruction ID: 3e5dab0bbcc9b7b4348569693e39c51bc0b27c59e8ea0ed6abb05ebc10b9b344
                                                                                                                                                                                    • Opcode Fuzzy Hash: dd1b1b3d94faa584660aa564dd852358c6c0cbefcfc3417a0db06bb84b323ca4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F116D71900219EADF14DFA4DA589AE77B4FF04345B20443BE401B62C0E7B88A45EB5D
                                                                                                                                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                    • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                                                                                                                                                                    • Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
                                                                                                                                                                                    • Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C
                                                                                                                                                                                    Function 00402434 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegDeleteValueW.KERNELBASE(00000000,00000000,00000033), ref: 00402456
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(00000000), ref: 0040245F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseDeleteValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2831762973-0
                                                                                                                                                                                    • Opcode ID: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
                                                                                                                                                                                    • Instruction ID: 30df5d2aec36195d54007c6df5f336708121daf1b93815cec1e8c6dbc8099d71
                                                                                                                                                                                    • Opcode Fuzzy Hash: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
                                                                                                                                                                                    • Instruction Fuzzy Hash: 22F0C232A00120EBDB11ABB89B4DAED72A8AF84314F15443BE141B71C0DAFC5D01866D
                                                                                                                                                                                    Function 00405B20 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00405B56
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3712363035-0
                                                                                                                                                                                    • Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                                                                                                                                                                    • Instruction ID: 0547baa0b497a95b6ed0e8f273b1969b1ac2c9598ef2001c301bcde660c6e2d6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3EE092B4600209BFEB10AB64AE49F7B7AACEB04704F004565BA51E61A1DB78E8158A78
                                                                                                                                                                                    Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                                                                                                                                                                      • Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                                                                                                                                                                      • Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
                                                                                                                                                                                      • Part of subcall function 0040689A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2547128583-0
                                                                                                                                                                                    • Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                                    • Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
                                                                                                                                                                                    • Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E
                                                                                                                                                                                    Function 00403B57 Relevance: 3.0, APIs: 2, Instructions: 19COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,771B3420,00000000,00442800,00403B2F,00403A5E,?), ref: 00403B71
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00403B78
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Free$GlobalLibrary
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1100898210-0
                                                                                                                                                                                    • Opcode ID: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                                                                                                                                                                    • Instruction ID: 19c5699a9bb8b3376c06320bd1355d3f7d45777e2bc9a3354ca833756e7661a4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 14d9b0f9b7ecca22f0083886da8930ddd6c03ed0d6fdc94ff3a28603f1b7b4ab
                                                                                                                                                                                    • Instruction Fuzzy Hash: 40E0EC3290212097C7615F55FE08B6E7B78AF49B26F05056AE884BB2628B746D428BDC
                                                                                                                                                                                    Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AttributesCreate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 415043291-0
                                                                                                                                                                                    • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                    • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                                                                                                                                                                    • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                                                                                                                                                                    Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                                                                                                                                                                    • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                    • Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
                                                                                                                                                                                    • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98
                                                                                                                                                                                    Function 00403B12 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CloseHandle.KERNEL32(FFFFFFFF,00403A5E,?), ref: 00403B1D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Windows\TEMP\nstA20.tmp\, xrefs: 00403B31
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseHandle
                                                                                                                                                                                    • String ID: C:\Windows\TEMP\nstA20.tmp\
                                                                                                                                                                                    • API String ID: 2962429428-328857802
                                                                                                                                                                                    • Opcode ID: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
                                                                                                                                                                                    • Instruction ID: 74b342ff74dc5917d60848dc34610585f5de2c5243f802b65b47dd8438b48b4d
                                                                                                                                                                                    • Opcode Fuzzy Hash: e86ec88962d2cddd060eb64ec5e150871475ae72b9f2b14f7d4b77a190cc5563
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5EC0123050470056D1646F749E4FE153B64AB4073EB600325B0F9B10F1CB3C5759895D
                                                                                                                                                                                    Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00403520,00442800,00442800,00442800,00442800,00442800,00403810), ref: 00405AF1
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AFF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1375471231-0
                                                                                                                                                                                    • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                    • Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
                                                                                                                                                                                    • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D
                                                                                                                                                                                    Function 00402891 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028AF
                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePointerwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 327478801-0
                                                                                                                                                                                    • Opcode ID: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
                                                                                                                                                                                    • Instruction ID: a13d1cf18dcce6f7d85bed0b4e0fde0de6b16079219dfacd376ffc086bc6f252
                                                                                                                                                                                    • Opcode Fuzzy Hash: 1a69bed114d0c3cb27e295a60469d00fb85b85c1c8bbaab52ea3f411131a6a45
                                                                                                                                                                                    • Instruction Fuzzy Hash: D3E09271A04105BFDB01EFA5AE499AEB3B8EF44319B10483BF102F00C1DA794D119B2D
                                                                                                                                                                                    Function 004028DE Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindNextFileW.KERNELBASE(00000000,?,?), ref: 004028F2
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFindNext
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2029273394-0
                                                                                                                                                                                    • Opcode ID: 5a0eca54d12d830a6cf0b67cd5981ecab404d45d89ec6f49a99563b0e2ede8d6
                                                                                                                                                                                    • Instruction ID: db9f6404ebf4ce2de6069d57e227025b0e6a75b8a6eb25932bbfae1af7e2135c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5a0eca54d12d830a6cf0b67cd5981ecab404d45d89ec6f49a99563b0e2ede8d6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3EE0E572A041159BDB11DFA5ED88AAE7374EF40314F20447BD102F61D0E7B85A55AB1D
                                                                                                                                                                                    Function 004063D8 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 00406401
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Create
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                                    • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                    • Instruction ID: ccab944935cfefb85f0e849ce69279fb55db75a3b7fb0960311cd9d36817041a
                                                                                                                                                                                    • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 04E0E6B2010109BFEF095F90DC0AD7B3B1DE704300F01892EFD06D4091E6B5AD306675
                                                                                                                                                                                    Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                    • Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                    • Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4
                                                                                                                                                                                    Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                    • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                    • Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                    • Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4
                                                                                                                                                                                    Function 004063AA Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C248,?,?,00406438,0042C248,00000000,?,?,Call,?), ref: 004063CE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                    • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                    • Instruction ID: 4361357c0318622cec318f667d88df30c4c29b75262f7bca7234b06b46464da2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 83D0123210020EBBDF115F91AD01FAB3B5DAB08310F014426FE06E40A1D775D530A764
                                                                                                                                                                                    Function 004062FD Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MoveFileExW.KERNELBASE(?,?,00000005,00405DFB,?,00000000,000000F1,?,?,?,?,?), ref: 00406307
                                                                                                                                                                                      • Part of subcall function 00406183: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
                                                                                                                                                                                      • Part of subcall function 00406183: GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7
                                                                                                                                                                                      • Part of subcall function 00406183: GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
                                                                                                                                                                                      • Part of subcall function 00406183: wsprintfA.USER32 ref: 00406202
                                                                                                                                                                                      • Part of subcall function 00406183: GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
                                                                                                                                                                                      • Part of subcall function 00406183: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
                                                                                                                                                                                      • Part of subcall function 00406183: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
                                                                                                                                                                                      • Part of subcall function 00406183: SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$NamePathShort$AllocCloseGlobalHandleMovePointerSizelstrcpywsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1930046112-0
                                                                                                                                                                                    • Opcode ID: 8f53434626867040aeaf300899a332654148b257c03f208a35692daf52d65ed0
                                                                                                                                                                                    • Instruction ID: 786f9f27e87e5c9ea407ae46cb6f26f26cce76303f9e9442b57226035b255668
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f53434626867040aeaf300899a332654148b257c03f208a35692daf52d65ed0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AD05232108201BECA011B40ED04A0ABBA2EB84316F11842EF599A40B0EB3280219B09
                                                                                                                                                                                    Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                                                    • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                    • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                                                                                                                                                                    • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                                                                                                                                                                    Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,771B23A0), ref: 004055FA
                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                      • Part of subcall function 00405B20: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
                                                                                                                                                                                      • Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                                                                                                                                                                                      • Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                                                                                                                                                                      • Part of subcall function 004069B5: GetExitCodeProcess.KERNELBASE(?,?), ref: 004069E8
                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2972824698-0
                                                                                                                                                                                    • Opcode ID: ce2c2b897b5b7a5940bd958f4af0b0a61f650836c27f4d249739cb61e324a33b
                                                                                                                                                                                    • Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce2c2b897b5b7a5940bd958f4af0b0a61f650836c27f4d249739cb61e324a33b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E
                                                                                                                                                                                    Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • Sleep.KERNELBASE(00000000), ref: 004014EA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                                                    • Opcode ID: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
                                                                                                                                                                                    • Instruction ID: 7e4bd3fa72896d3e54e8b4d9ea8ddceac118c8145159a7c2ee745a60f6c60e84
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DD0A773B141018BD704EBFCFE8545E73E8EB503293208C37D402E10D1E678C846461C

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 0040573C
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040574B
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00405788
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 0040578F
                                                                                                                                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
                                                                                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
                                                                                                                                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
                                                                                                                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 0040582B
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040584C
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 0040575A
                                                                                                                                                                                      • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040589E
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004058B3
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004058D7
                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 004058DC
                                                                                                                                                                                    • ShowWindow.USER32(00000008), ref: 00405926
                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
                                                                                                                                                                                    • CreatePopupMenu.USER32 ref: 0040596B
                                                                                                                                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040599F
                                                                                                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
                                                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405A00
                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00405A06
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405A1C
                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405A50
                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
                                                                                                                                                                                    • CloseClipboard.USER32 ref: 00405A61
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                    • String ID: {
                                                                                                                                                                                    • API String ID: 590372296-366298937
                                                                                                                                                                                    • Opcode ID: f02b1789a548c21c126c9045b4544d5ada5808600bf44a06586be8ced473be55
                                                                                                                                                                                    • Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
                                                                                                                                                                                    • Opcode Fuzzy Hash: f02b1789a548c21c126c9045b4544d5ada5808600bf44a06586be8ced473be55
                                                                                                                                                                                    • Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58
                                                                                                                                                                                    Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404F1E
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404F29
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
                                                                                                                                                                                    • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
                                                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
                                                                                                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
                                                                                                                                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
                                                                                                                                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
                                                                                                                                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00405000
                                                                                                                                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
                                                                                                                                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102
                                                                                                                                                                                      • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00405144
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 00405162
                                                                                                                                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
                                                                                                                                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
                                                                                                                                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
                                                                                                                                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
                                                                                                                                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
                                                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00405330
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00405340
                                                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
                                                                                                                                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 00405462
                                                                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 004054EA
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 004054F5
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004054FC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                    • String ID: $M$N
                                                                                                                                                                                    • API String ID: 2564846305-813528018
                                                                                                                                                                                    • Opcode ID: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
                                                                                                                                                                                    • Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
                                                                                                                                                                                    • Opcode Fuzzy Hash: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
                                                                                                                                                                                    • Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58
                                                                                                                                                                                    Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
                                                                                                                                                                                    • ShowWindow.USER32(?), ref: 00403FF6
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404008
                                                                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00404021
                                                                                                                                                                                    • DestroyWindow.USER32 ref: 00404035
                                                                                                                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 0040406D
                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
                                                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00404088
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00404133
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0040413D
                                                                                                                                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00404157
                                                                                                                                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 0040424E
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?), ref: 0040426F
                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 00404281
                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 0040429C
                                                                                                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
                                                                                                                                                                                    • EnableMenuItem.USER32(00000000), ref: 004042B9
                                                                                                                                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
                                                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
                                                                                                                                                                                    • lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
                                                                                                                                                                                    • SetWindowTextW.USER32(?,0042D268), ref: 00404322
                                                                                                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 00404456
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1860320154-0
                                                                                                                                                                                    • Opcode ID: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
                                                                                                                                                                                    • Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
                                                                                                                                                                                    • Opcode Fuzzy Hash: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
                                                                                                                                                                                    • Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D
                                                                                                                                                                                    Function 00404658 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040470A
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 00404738
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 00404759
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 004047D4
                                                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 004047DB
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404806
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00404857
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040485A
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00404873
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00404876
                                                                                                                                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
                                                                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                    • String ID: Call$N
                                                                                                                                                                                    • API String ID: 3103080414-3438112850
                                                                                                                                                                                    • Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                                                                                                                                                                    • Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98
                                                                                                                                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                    • DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                    • String ID: F
                                                                                                                                                                                    • API String ID: 941294808-1304234792
                                                                                                                                                                                    • Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                                                                                                                                                                    • Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
                                                                                                                                                                                    • Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4
                                                                                                                                                                                    Function 0040498A Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 004049D9
                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00404A03
                                                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
                                                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404ABF
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(Call,0042D268,00000000,?,?), ref: 00404AF1
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,Call), ref: 00404AFD
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F
                                                                                                                                                                                      • Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94
                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,771B3420,00442800,?,00403508,00442800,00442800,00403810), ref: 00406827
                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,00442800,00442800,00403810), ref: 00406836
                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,00000000,771B3420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040683B
                                                                                                                                                                                      • Part of subcall function 004067C4: CharPrevW.USER32(?,?,771B3420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040684E
                                                                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
                                                                                                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED
                                                                                                                                                                                      • Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                                                                                                                                                                      • Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
                                                                                                                                                                                      • Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: A$C:\Program Files\Wildix\WIService$Call
                                                                                                                                                                                    • API String ID: 2624150263-973401783
                                                                                                                                                                                    • Opcode ID: a166dbd395641350e1cfd01e9a5963c0b70786fd40c7a63bf9b40c361ea88958
                                                                                                                                                                                    • Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
                                                                                                                                                                                    • Opcode Fuzzy Hash: a166dbd395641350e1cfd01e9a5963c0b70786fd40c7a63bf9b40c361ea88958
                                                                                                                                                                                    • Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D
                                                                                                                                                                                    Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7
                                                                                                                                                                                      • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                                                                                                                                                                      • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
                                                                                                                                                                                    • wsprintfA.USER32 ref: 00406202
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
                                                                                                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
                                                                                                                                                                                    • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 004062EB
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2
                                                                                                                                                                                      • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                      • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                    • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                    • API String ID: 2171350718-461813615
                                                                                                                                                                                    • Opcode ID: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
                                                                                                                                                                                    • Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D
                                                                                                                                                                                    Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 0040451D
                                                                                                                                                                                    • GetSysColor.USER32(00000000), ref: 0040455B
                                                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00404567
                                                                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 00404573
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 00404586
                                                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00404596
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004045B0
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 004045BA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2320649405-0
                                                                                                                                                                                    • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                                    • Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
                                                                                                                                                                                    • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54
                                                                                                                                                                                    Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                                                                                                                                                                      • Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124
                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                    • String ID: 9
                                                                                                                                                                                    • API String ID: 163830602-2366072709
                                                                                                                                                                                    • Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                                                                                                                                                                    • Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
                                                                                                                                                                                    • Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                                                                                                                                                                    • Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                                                                                                                                                                                    Function 0040559F Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                    • lstrlenW.KERNEL32(00403418,0042C248,00000000,?,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                    • lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,?,771B23A0), ref: 004055FA
                                                                                                                                                                                    • SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1495540970-0
                                                                                                                                                                                    • Opcode ID: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
                                                                                                                                                                                    • Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68
                                                                                                                                                                                    Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
                                                                                                                                                                                    • GetMessagePos.USER32 ref: 00404E77
                                                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404E91
                                                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
                                                                                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                                                                                                    • String ID: f
                                                                                                                                                                                    • API String ID: 41195575-1993550816
                                                                                                                                                                                    • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                    • Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
                                                                                                                                                                                    • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5
                                                                                                                                                                                    Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                                                                                                                                                                    • MulDiv.KERNEL32(01858A60,00000064,0185B4D8), ref: 00402FDC
                                                                                                                                                                                    • wsprintfW.USER32 ref: 00402FEC
                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00402FFC
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • verifying installer: %d%%, xrefs: 00402FE6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                    • String ID: verifying installer: %d%%
                                                                                                                                                                                    • API String ID: 1451636040-82062127
                                                                                                                                                                                    • Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                                                                                                                                                                    • Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69
                                                                                                                                                                                    Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00402A06
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402A19
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2667972263-0
                                                                                                                                                                                    • Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                                                                                                                                                                    • Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8
                                                                                                                                                                                    Function 004067C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,00000000,771B3420,00442800,?,00403508,00442800,00442800,00403810), ref: 00406827
                                                                                                                                                                                    • CharNextW.USER32(?,?,?,00000000,?,00403508,00442800,00442800,00403810), ref: 00406836
                                                                                                                                                                                    • CharNextW.USER32(?,00000000,771B3420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040683B
                                                                                                                                                                                    • CharPrevW.USER32(?,?,771B3420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040684E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Char$Next$Prev
                                                                                                                                                                                    • String ID: *?|<>/":
                                                                                                                                                                                    • API String ID: 589700163-165019052
                                                                                                                                                                                    • Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                                    • Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD
                                                                                                                                                                                    Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00401D9A
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00401DE5
                                                                                                                                                                                    • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                                                                                                                                                                    • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401E39
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1849352358-0
                                                                                                                                                                                    • Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                                                                                                                                                                    • Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98
                                                                                                                                                                                    Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(?), ref: 00401E51
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                                                                                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32(Call,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                    • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2584051700-0
                                                                                                                                                                                    • Opcode ID: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
                                                                                                                                                                                    • Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED
                                                                                                                                                                                    Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Timeout
                                                                                                                                                                                    • String ID: !
                                                                                                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                                                                                                    • Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                                                                                                                                                                    • Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
                                                                                                                                                                                    • Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                                                                                                                                                                    • Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                                                                                                                                                                                    Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                                                                                                                                                                    • wsprintfW.USER32 ref: 00404DF0
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                    • String ID: %u.%u%s%s
                                                                                                                                                                                    • API String ID: 3540041739-3551169577
                                                                                                                                                                                    • Opcode ID: 8eaa60c285ed2ca3ba3cc070ccd72c3506245c9ef86633ed67cf81484c09c26b
                                                                                                                                                                                    • Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8eaa60c285ed2ca3ba3cc070ccd72c3506245c9ef86633ed67cf81484c09c26b
                                                                                                                                                                                    • Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8
                                                                                                                                                                                    Function 00405EB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,771B3420,?,00442800,00405C69,?,771B3420,00442800,00000000), ref: 00405EC5
                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext
                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                    • API String ID: 3213498283-3404278061
                                                                                                                                                                                    • Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                                                                                                                                                                                    • Instruction ID: b7f7aa27055ddc775a1b47344aef2f77b81fec2ea34db2f3ccdabfa21b6bce3d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7BF0F631810E1296DB317B548C44E7B97BCEB64354B04843BD741B71C0D3BC8D808BDA
                                                                                                                                                                                    Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(C:\Windows\TEMP\nstA20.tmp\System.dll), ref: 00402695
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen
                                                                                                                                                                                    • String ID: C:\Windows\TEMP\nstA20.tmp$C:\Windows\TEMP\nstA20.tmp\System.dll
                                                                                                                                                                                    • API String ID: 1659193697-2143130135
                                                                                                                                                                                    • Opcode ID: fbd5ee5e4de60feb08ffa62b35b3018c7a91bb86716aa8782bbd76b946f17d50
                                                                                                                                                                                    • Instruction ID: edf8e5a6553ae7ef136857fb61bcac29e22bbc78049b19fa22ca3c34260198f3
                                                                                                                                                                                    • Opcode Fuzzy Hash: fbd5ee5e4de60feb08ffa62b35b3018c7a91bb86716aa8782bbd76b946f17d50
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2611EB71A00215BBCB10BFB18E4AAAE7665AF40744F25443FE002B71C2EAFC8891565E
                                                                                                                                                                                    Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040304A
                                                                                                                                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2102729457-0
                                                                                                                                                                                    • Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                                                                                                                                                                    • Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
                                                                                                                                                                                    • Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                                                                                                                                                                    • Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D
                                                                                                                                                                                    Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 00405542
                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 00405593
                                                                                                                                                                                      • Part of subcall function 004044E5: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044F7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                                                                                                    • Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                                                                                                                                                                    • Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                                                                                                                                                                    • Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69
                                                                                                                                                                                    Function 00405E58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(80000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,004030E9,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00405E5E
                                                                                                                                                                                    • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,004030E9,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003), ref: 00405E6E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp, xrefs: 00405E58
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharPrevlstrlen
                                                                                                                                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp
                                                                                                                                                                                    • API String ID: 2709904686-4128723618
                                                                                                                                                                                    • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                                    • Instruction ID: d2786f61c86b799b8b6ecf14661ff9643eaf9d362a95097130d0805b1e4d2bc4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                                    • Instruction Fuzzy Hash: 36D0A7B3410D20DAC3126718DC04DAF73ECFF6134074A442AF481A71A4D7785E8186ED
                                                                                                                                                                                    Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
                                                                                                                                                                                    • CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000012.00000002.2370905839.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000012.00000002.2370856243.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2370992598.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000040D000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.000000000043C000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371038829.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000012.00000002.2371432137.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_18_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 190613189-0
                                                                                                                                                                                    • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                    • Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9

                                                                                                                                                                                    Execution Graph

                                                                                                                                                                                    Execution Coverage:17.6%
                                                                                                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                                                                                                    Signature Coverage:0%
                                                                                                                                                                                    Total number of Nodes:1562
                                                                                                                                                                                    Total number of Limit Nodes:28
                                                                                                                                                                                    execution_graph 3924 401941 3925 401943 3924->3925 3930 402da6 3925->3930 3931 402db2 3930->3931 3972 40657a 3931->3972 3934 401948 3936 405c49 3934->3936 4014 405f14 3936->4014 3939 405c71 DeleteFileW 3969 401951 3939->3969 3940 405c88 3941 405da8 3940->3941 4028 40653d lstrcpynW 3940->4028 3941->3969 4058 406873 FindFirstFileW 3941->4058 3943 405cae 3944 405cc1 3943->3944 3945 405cb4 lstrcatW 3943->3945 4029 405e58 lstrlenW 3944->4029 3946 405cc7 3945->3946 3950 405cd7 lstrcatW 3946->3950 3951 405ce2 lstrlenW FindFirstFileW 3946->3951 3950->3951 3951->3941 3970 405d04 3951->3970 3954 405d8b FindNextFileW 3958 405da1 FindClose 3954->3958 3954->3970 3955 405c01 5 API calls 3957 405de3 3955->3957 3959 405de7 3957->3959 3960 405dfd 3957->3960 3958->3941 3963 40559f 24 API calls 3959->3963 3959->3969 3962 40559f 24 API calls 3960->3962 3962->3969 3965 405df4 3963->3965 3964 405c49 60 API calls 3964->3970 3967 4062fd 36 API calls 3965->3967 3966 40559f 24 API calls 3966->3954 3967->3969 3970->3954 3970->3964 3970->3966 4033 40653d lstrcpynW 3970->4033 4034 405c01 3970->4034 4042 40559f 3970->4042 4053 4062fd MoveFileExW 3970->4053 3976 406587 3972->3976 3973 4067aa 3974 402dd3 3973->3974 4005 40653d lstrcpynW 3973->4005 3974->3934 3989 4067c4 3974->3989 3976->3973 3977 406778 lstrlenW 3976->3977 3978 40657a 10 API calls 3976->3978 3979 40668f GetSystemDirectoryW 3976->3979 3983 4066a2 GetWindowsDirectoryW 3976->3983 3984 406719 lstrcatW 3976->3984 3985 40657a 10 API calls 3976->3985 3986 4067c4 5 API calls 3976->3986 3987 4066d1 SHGetSpecialFolderLocation 3976->3987 3998 40640b 3976->3998 4003 406484 wsprintfW 3976->4003 4004 40653d lstrcpynW 3976->4004 3977->3976 3978->3977 3979->3976 3983->3976 3984->3976 3985->3976 3986->3976 3987->3976 3988 4066e9 SHGetPathFromIDListW CoTaskMemFree 3987->3988 3988->3976 3990 4067d1 3989->3990 3992 40683a CharNextW 3990->3992 3994 406847 3990->3994 3996 406826 CharNextW 3990->3996 3997 406835 CharNextW 3990->3997 4010 405e39 3990->4010 3991 40684c CharPrevW 3991->3994 3992->3990 3992->3994 3994->3991 3995 40686d 3994->3995 3995->3934 3996->3990 3997->3992 4006 4063aa 3998->4006 4001 40643f RegQueryValueExW RegCloseKey 4002 40646f 4001->4002 4002->3976 4003->3976 4004->3976 4005->3974 4007 4063b9 4006->4007 4008 4063c2 RegOpenKeyExW 4007->4008 4009 4063bd 4007->4009 4008->4009 4009->4001 4009->4002 4011 405e3f 4010->4011 4012 405e55 4011->4012 4013 405e46 CharNextW 4011->4013 4012->3990 4013->4011 4064 40653d lstrcpynW 4014->4064 4016 405f25 4065 405eb7 CharNextW CharNextW 4016->4065 4019 405c69 4019->3939 4019->3940 4020 4067c4 5 API calls 4026 405f3b 4020->4026 4021 405f6c lstrlenW 4022 405f77 4021->4022 4021->4026 4024 405e0c 3 API calls 4022->4024 4023 406873 2 API calls 4023->4026 4025 405f7c GetFileAttributesW 4024->4025 4025->4019 4026->4019 4026->4021 4026->4023 4027 405e58 2 API calls 4026->4027 4027->4021 4028->3943 4030 405e66 4029->4030 4031 405e78 4030->4031 4032 405e6c CharPrevW 4030->4032 4031->3946 4032->4030 4032->4031 4033->3970 4071 406008 GetFileAttributesW 4034->4071 4037 405c2e 4037->3970 4038 405c24 DeleteFileW 4040 405c2a 4038->4040 4039 405c1c RemoveDirectoryW 4039->4040 4040->4037 4041 405c3a SetFileAttributesW 4040->4041 4041->4037 4043 4055ba 4042->4043 4044 40565c 4042->4044 4045 4055d6 lstrlenW 4043->4045 4048 40657a 17 API calls 4043->4048 4044->3970 4046 4055e4 lstrlenW 4045->4046 4047 4055ff 4045->4047 4046->4044 4049 4055f6 lstrcatW 4046->4049 4050 405612 4047->4050 4051 405605 SetWindowTextW 4047->4051 4048->4045 4049->4047 4050->4044 4052 405618 SendMessageW SendMessageW SendMessageW 4050->4052 4051->4050 4052->4044 4054 406320 4053->4054 4055 406311 4053->4055 4054->3970 4074 406183 4055->4074 4059 405dcd 4058->4059 4060 406889 FindClose 4058->4060 4059->3969 4061 405e0c lstrlenW CharPrevW 4059->4061 4060->4059 4062 405dd7 4061->4062 4063 405e28 lstrcatW 4061->4063 4062->3955 4063->4062 4064->4016 4066 405ed4 4065->4066 4070 405ee6 4065->4070 4068 405ee1 CharNextW 4066->4068 4066->4070 4067 405f0a 4067->4019 4067->4020 4068->4067 4069 405e39 CharNextW 4069->4070 4070->4067 4070->4069 4072 405c0d 4071->4072 4073 40601a SetFileAttributesW 4071->4073 4072->4037 4072->4038 4072->4039 4073->4072 4075 4061b3 4074->4075 4076 4061d9 GetShortPathNameW 4074->4076 4101 40602d GetFileAttributesW CreateFileW 4075->4101 4078 4062f8 4076->4078 4079 4061ee 4076->4079 4078->4054 4079->4078 4081 4061f6 wsprintfA 4079->4081 4080 4061bd CloseHandle GetShortPathNameW 4080->4078 4082 4061d1 4080->4082 4083 40657a 17 API calls 4081->4083 4082->4076 4082->4078 4084 40621e 4083->4084 4102 40602d GetFileAttributesW CreateFileW 4084->4102 4086 40622b 4086->4078 4087 40623a GetFileSize GlobalAlloc 4086->4087 4088 4062f1 CloseHandle 4087->4088 4089 40625c 4087->4089 4088->4078 4103 4060b0 ReadFile 4089->4103 4094 40627b lstrcpyA 4097 40629d 4094->4097 4095 40628f 4096 405f92 4 API calls 4095->4096 4096->4097 4098 4062d4 SetFilePointer 4097->4098 4110 4060df WriteFile 4098->4110 4101->4080 4102->4086 4104 4060ce 4103->4104 4104->4088 4105 405f92 lstrlenA 4104->4105 4106 405fd3 lstrlenA 4105->4106 4107 405fdb 4106->4107 4108 405fac lstrcmpiA 4106->4108 4107->4094 4107->4095 4108->4107 4109 405fca CharNextA 4108->4109 4109->4106 4111 4060fd GlobalFree 4110->4111 4111->4088 4112 4015c1 4113 402da6 17 API calls 4112->4113 4114 4015c8 4113->4114 4115 405eb7 4 API calls 4114->4115 4127 4015d1 4115->4127 4116 401631 4118 401663 4116->4118 4119 401636 4116->4119 4117 405e39 CharNextW 4117->4127 4121 401423 24 API calls 4118->4121 4139 401423 4119->4139 4129 40165b 4121->4129 4126 40164a SetCurrentDirectoryW 4126->4129 4127->4116 4127->4117 4128 401617 GetFileAttributesW 4127->4128 4131 405b08 4127->4131 4134 405a6e CreateDirectoryW 4127->4134 4143 405aeb CreateDirectoryW 4127->4143 4128->4127 4146 40690a GetModuleHandleA 4131->4146 4135 405abf GetLastError 4134->4135 4136 405abb 4134->4136 4135->4136 4137 405ace SetFileSecurityW 4135->4137 4136->4127 4137->4136 4138 405ae4 GetLastError 4137->4138 4138->4136 4140 40559f 24 API calls 4139->4140 4141 401431 4140->4141 4142 40653d lstrcpynW 4141->4142 4142->4126 4144 405afb 4143->4144 4145 405aff GetLastError 4143->4145 4144->4127 4145->4144 4147 406930 GetProcAddress 4146->4147 4148 406926 4146->4148 4150 405b0f 4147->4150 4152 40689a GetSystemDirectoryW 4148->4152 4150->4127 4151 40692c 4151->4147 4151->4150 4153 4068bc wsprintfW LoadLibraryExW 4152->4153 4153->4151 4794 401c43 4795 402d84 17 API calls 4794->4795 4796 401c4a 4795->4796 4797 402d84 17 API calls 4796->4797 4798 401c57 4797->4798 4799 401c6c 4798->4799 4800 402da6 17 API calls 4798->4800 4801 401c7c 4799->4801 4802 402da6 17 API calls 4799->4802 4800->4799 4803 401cd3 4801->4803 4804 401c87 4801->4804 4802->4801 4805 402da6 17 API calls 4803->4805 4806 402d84 17 API calls 4804->4806 4807 401cd8 4805->4807 4808 401c8c 4806->4808 4809 402da6 17 API calls 4807->4809 4810 402d84 17 API calls 4808->4810 4811 401ce1 FindWindowExW 4809->4811 4812 401c98 4810->4812 4815 401d03 4811->4815 4813 401cc3 SendMessageW 4812->4813 4814 401ca5 SendMessageTimeoutW 4812->4814 4813->4815 4814->4815 4816 404943 4817 404953 4816->4817 4818 404979 4816->4818 4823 404499 4817->4823 4826 404500 4818->4826 4821 404960 SetDlgItemTextW 4821->4818 4824 40657a 17 API calls 4823->4824 4825 4044a4 SetDlgItemTextW 4824->4825 4825->4821 4827 4045c3 4826->4827 4828 404518 GetWindowLongW 4826->4828 4828->4827 4829 40452d 4828->4829 4829->4827 4830 40455a GetSysColor 4829->4830 4831 40455d 4829->4831 4830->4831 4832 404563 SetTextColor 4831->4832 4833 40456d SetBkMode 4831->4833 4832->4833 4834 404585 GetSysColor 4833->4834 4835 40458b 4833->4835 4834->4835 4836 404592 SetBkColor 4835->4836 4837 40459c 4835->4837 4836->4837 4837->4827 4838 4045b6 CreateBrushIndirect 4837->4838 4839 4045af DeleteObject 4837->4839 4838->4827 4839->4838 4840 4028c4 4841 4028ca 4840->4841 4842 4028d2 FindClose 4841->4842 4843 402c2a 4841->4843 4842->4843 4847 4016cc 4848 402da6 17 API calls 4847->4848 4849 4016d2 GetFullPathNameW 4848->4849 4852 4016ec 4849->4852 4856 40170e 4849->4856 4850 401723 GetShortPathNameW 4851 402c2a 4850->4851 4853 406873 2 API calls 4852->4853 4852->4856 4854 4016fe 4853->4854 4854->4856 4857 40653d lstrcpynW 4854->4857 4856->4850 4856->4851 4857->4856 4858 401e4e GetDC 4859 402d84 17 API calls 4858->4859 4860 401e60 GetDeviceCaps MulDiv ReleaseDC 4859->4860 4861 402d84 17 API calls 4860->4861 4862 401e91 4861->4862 4863 40657a 17 API calls 4862->4863 4864 401ece CreateFontIndirectW 4863->4864 4865 402638 4864->4865 4866 4045cf lstrcpynW lstrlenW 4867 70101000 4870 7010101b 4867->4870 4877 701015b6 4870->4877 4872 70101020 4873 70101024 4872->4873 4874 70101027 GlobalAlloc 4872->4874 4875 701015dd 3 API calls 4873->4875 4874->4873 4876 70101019 4875->4876 4879 701015bc 4877->4879 4878 701015c2 4878->4872 4879->4878 4880 701015ce GlobalFree 4879->4880 4880->4872 4881 402950 4882 402da6 17 API calls 4881->4882 4884 40295c 4882->4884 4883 402972 4886 406008 2 API calls 4883->4886 4884->4883 4885 402da6 17 API calls 4884->4885 4885->4883 4887 402978 4886->4887 4909 40602d GetFileAttributesW CreateFileW 4887->4909 4889 402985 4890 402a3b 4889->4890 4893 4029a0 GlobalAlloc 4889->4893 4894 402a23 4889->4894 4891 402a42 DeleteFileW 4890->4891 4892 402a55 4890->4892 4891->4892 4893->4894 4895 4029b9 4893->4895 4896 4032b4 31 API calls 4894->4896 4910 4034e5 SetFilePointer 4895->4910 4898 402a30 CloseHandle 4896->4898 4898->4890 4899 4029bf 4900 4034cf ReadFile 4899->4900 4901 4029c8 GlobalAlloc 4900->4901 4902 4029d8 4901->4902 4903 402a0c 4901->4903 4904 4032b4 31 API calls 4902->4904 4905 4060df WriteFile 4903->4905 4908 4029e5 4904->4908 4906 402a18 GlobalFree 4905->4906 4906->4894 4907 402a03 GlobalFree 4907->4903 4908->4907 4909->4889 4910->4899 4911 401956 4912 402da6 17 API calls 4911->4912 4913 40195d lstrlenW 4912->4913 4914 402638 4913->4914 4589 4014d7 4590 402d84 17 API calls 4589->4590 4591 4014dd Sleep 4590->4591 4593 402c2a 4591->4593 4594 4020d8 4595 40219c 4594->4595 4596 4020ea 4594->4596 4598 401423 24 API calls 4595->4598 4597 402da6 17 API calls 4596->4597 4599 4020f1 4597->4599 4605 4022f6 4598->4605 4600 402da6 17 API calls 4599->4600 4601 4020fa 4600->4601 4602 402110 LoadLibraryExW 4601->4602 4603 402102 GetModuleHandleW 4601->4603 4602->4595 4604 402121 4602->4604 4603->4602 4603->4604 4617 406979 4604->4617 4608 402132 4611 402151 4608->4611 4612 40213a 4608->4612 4609 40216b 4610 40559f 24 API calls 4609->4610 4614 402142 4610->4614 4622 70101817 4611->4622 4613 401423 24 API calls 4612->4613 4613->4614 4614->4605 4615 40218e FreeLibrary 4614->4615 4615->4605 4664 40655f WideCharToMultiByte 4617->4664 4619 406996 4620 40699d GetProcAddress 4619->4620 4621 40212c 4619->4621 4620->4621 4621->4608 4621->4609 4623 7010184a 4622->4623 4665 70101bff 4623->4665 4625 70101851 4626 70101976 4625->4626 4627 70101862 4625->4627 4628 70101869 4625->4628 4626->4614 4715 7010243e 4627->4715 4699 70102480 4628->4699 4633 7010188e 4634 701018cd 4633->4634 4635 701018af 4633->4635 4638 701018d3 4634->4638 4639 7010191e 4634->4639 4728 70102655 4635->4728 4636 70101898 4636->4633 4725 70102e23 4636->4725 4637 7010187f 4641 70101885 4637->4641 4646 70101890 4637->4646 4747 70101666 4638->4747 4644 70102655 10 API calls 4639->4644 4641->4633 4709 70102b98 4641->4709 4653 7010190f 4644->4653 4645 701018b5 4739 70101654 4645->4739 4719 70102810 4646->4719 4651 70101896 4651->4633 4652 70102655 10 API calls 4652->4653 4655 70101965 4653->4655 4753 70102618 4653->4753 4655->4626 4657 7010196f GlobalFree 4655->4657 4657->4626 4661 70101951 4661->4655 4757 701015dd wsprintfW 4661->4757 4663 7010194a FreeLibrary 4663->4661 4664->4619 4760 701012bb GlobalAlloc 4665->4760 4667 70101c26 4761 701012bb GlobalAlloc 4667->4761 4669 70101e6b GlobalFree GlobalFree GlobalFree 4670 70101e88 4669->4670 4681 70101ed2 4669->4681 4672 7010227e 4670->4672 4678 70101e9d 4670->4678 4670->4681 4671 70101d26 GlobalAlloc 4691 70101c31 4671->4691 4673 701022a0 GetModuleHandleW 4672->4673 4672->4681 4674 701022b1 LoadLibraryW 4673->4674 4675 701022c6 4673->4675 4674->4675 4674->4681 4768 701016bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4675->4768 4676 70101d71 lstrcpyW 4680 70101d7b lstrcpyW 4676->4680 4677 70101d8f GlobalFree 4677->4691 4678->4681 4764 701012cc 4678->4764 4680->4691 4681->4625 4682 70102318 4682->4681 4686 70102325 lstrlenW 4682->4686 4683 70102126 4767 701012bb GlobalAlloc 4683->4767 4769 701016bd WideCharToMultiByte GlobalAlloc WideCharToMultiByte GetProcAddress GlobalFree 4686->4769 4687 70102067 GlobalFree 4687->4691 4688 701021ae 4688->4681 4696 70102216 lstrcpyW 4688->4696 4689 701022d8 4689->4682 4697 70102302 GetProcAddress 4689->4697 4691->4669 4691->4671 4691->4676 4691->4677 4691->4680 4691->4681 4691->4683 4691->4687 4691->4688 4692 70101dcd 4691->4692 4694 701012cc 2 API calls 4691->4694 4692->4691 4762 7010162f GlobalSize GlobalAlloc 4692->4762 4693 7010233f 4693->4681 4694->4691 4696->4681 4697->4682 4698 7010212f 4698->4625 4705 70102498 4699->4705 4701 701025c1 GlobalFree 4702 7010186f 4701->4702 4701->4705 4702->4633 4702->4636 4702->4637 4703 70102540 GlobalAlloc WideCharToMultiByte 4703->4701 4704 7010256b GlobalAlloc 4707 70102582 4704->4707 4705->4701 4705->4703 4705->4704 4706 701012cc GlobalAlloc lstrcpynW 4705->4706 4705->4707 4771 7010135a 4705->4771 4706->4705 4707->4701 4775 701027a4 4707->4775 4711 70102baa 4709->4711 4710 70102c4f RegOpenKeyExW 4714 70102c6d 4710->4714 4711->4710 4713 70102d39 4713->4633 4778 70102b42 4714->4778 4716 70102453 4715->4716 4717 7010245e GlobalAlloc 4716->4717 4718 70101868 4716->4718 4717->4716 4718->4628 4723 70102840 4719->4723 4720 701028db GlobalAlloc 4724 701028fe 4720->4724 4721 701028ee 4722 701028f4 GlobalSize 4721->4722 4721->4724 4722->4724 4723->4720 4723->4721 4724->4651 4726 70102e2e 4725->4726 4727 70102e6e GlobalFree 4726->4727 4782 701012bb GlobalAlloc 4728->4782 4730 701026d8 MultiByteToWideChar 4733 7010265f 4730->4733 4731 701026fa StringFromGUID2 4731->4733 4732 7010270b lstrcpynW 4732->4733 4733->4730 4733->4731 4733->4732 4734 7010271e wsprintfW 4733->4734 4735 70102742 GlobalFree 4733->4735 4736 70102777 GlobalFree 4733->4736 4737 70101312 2 API calls 4733->4737 4783 70101381 4733->4783 4734->4733 4735->4733 4736->4645 4737->4733 4787 701012bb GlobalAlloc 4739->4787 4741 70101659 4742 70101666 2 API calls 4741->4742 4743 70101663 4742->4743 4744 70101312 4743->4744 4745 70101355 GlobalFree 4744->4745 4746 7010131b GlobalAlloc lstrcpynW 4744->4746 4745->4653 4746->4745 4748 70101672 wsprintfW 4747->4748 4749 7010169f lstrcpyW 4747->4749 4752 701016b8 4748->4752 4749->4752 4752->4652 4754 70101931 4753->4754 4755 70102626 4753->4755 4754->4661 4754->4663 4755->4754 4756 70102642 GlobalFree 4755->4756 4756->4755 4758 70101312 2 API calls 4757->4758 4759 701015fe 4758->4759 4759->4655 4760->4667 4761->4691 4763 7010164d 4762->4763 4763->4692 4770 701012bb GlobalAlloc 4764->4770 4766 701012db lstrcpynW 4766->4681 4767->4698 4768->4689 4769->4693 4770->4766 4772 70101361 4771->4772 4773 701012cc 2 API calls 4772->4773 4774 7010137f 4773->4774 4774->4705 4776 701027b2 VirtualAlloc 4775->4776 4777 70102808 4775->4777 4776->4777 4777->4707 4779 70102b4d 4778->4779 4780 70102b52 GetLastError 4779->4780 4781 70102b5d 4779->4781 4780->4781 4781->4713 4782->4733 4784 7010138a 4783->4784 4785 701013ac 4783->4785 4784->4785 4786 70101390 lstrcpyW 4784->4786 4785->4733 4786->4785 4787->4741 4915 404658 4916 404670 4915->4916 4920 40478a 4915->4920 4921 404499 18 API calls 4916->4921 4917 4047f4 4918 4048be 4917->4918 4919 4047fe GetDlgItem 4917->4919 4926 404500 8 API calls 4918->4926 4922 404818 4919->4922 4923 40487f 4919->4923 4920->4917 4920->4918 4924 4047c5 GetDlgItem SendMessageW 4920->4924 4925 4046d7 4921->4925 4922->4923 4931 40483e SendMessageW LoadCursorW SetCursor 4922->4931 4923->4918 4927 404891 4923->4927 4948 4044bb EnableWindow 4924->4948 4929 404499 18 API calls 4925->4929 4930 4048b9 4926->4930 4933 4048a7 4927->4933 4934 404897 SendMessageW 4927->4934 4936 4046e4 CheckDlgButton 4929->4936 4952 404907 4931->4952 4933->4930 4938 4048ad SendMessageW 4933->4938 4934->4933 4935 4047ef 4949 4048e3 4935->4949 4946 4044bb EnableWindow 4936->4946 4938->4930 4941 404702 GetDlgItem 4947 4044ce SendMessageW 4941->4947 4943 404718 SendMessageW 4944 404735 GetSysColor 4943->4944 4945 40473e SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 4943->4945 4944->4945 4945->4930 4946->4941 4947->4943 4948->4935 4950 4048f1 4949->4950 4951 4048f6 SendMessageW 4949->4951 4950->4951 4951->4917 4955 405b63 ShellExecuteExW 4952->4955 4954 40486d LoadCursorW SetCursor 4954->4923 4955->4954 4956 402b59 4957 402b60 4956->4957 4958 402bab 4956->4958 4960 402d84 17 API calls 4957->4960 4963 402ba9 4957->4963 4959 40690a 5 API calls 4958->4959 4961 402bb2 4959->4961 4962 402b6e 4960->4962 4964 402da6 17 API calls 4961->4964 4965 402d84 17 API calls 4962->4965 4966 402bbb 4964->4966 4970 402b7a 4965->4970 4966->4963 4967 402bbf IIDFromString 4966->4967 4967->4963 4968 402bce 4967->4968 4968->4963 4974 40653d lstrcpynW 4968->4974 4973 406484 wsprintfW 4970->4973 4971 402beb CoTaskMemFree 4971->4963 4973->4963 4974->4971 4788 40175c 4789 402da6 17 API calls 4788->4789 4790 401763 4789->4790 4791 40605c 2 API calls 4790->4791 4792 40176a 4791->4792 4793 40605c 2 API calls 4792->4793 4793->4792 4975 7010170d 4976 701015b6 GlobalFree 4975->4976 4978 70101725 4976->4978 4977 7010176b GlobalFree 4978->4977 4979 70101740 4978->4979 4980 70101757 VirtualFree 4978->4980 4979->4977 4980->4977 4981 401d5d 4982 402d84 17 API calls 4981->4982 4983 401d6e SetWindowLongW 4982->4983 4984 402c2a 4983->4984 4985 4056de 4986 405888 4985->4986 4987 4056ff GetDlgItem GetDlgItem GetDlgItem 4985->4987 4989 405891 GetDlgItem CreateThread CloseHandle 4986->4989 4990 4058b9 4986->4990 5030 4044ce SendMessageW 4987->5030 4989->4990 4992 4058e4 4990->4992 4994 4058d0 ShowWindow ShowWindow 4990->4994 4995 405909 4990->4995 4991 40576f 5000 405776 GetClientRect GetSystemMetrics SendMessageW SendMessageW 4991->5000 4993 405944 4992->4993 4997 4058f8 4992->4997 4998 40591e ShowWindow 4992->4998 4993->4995 5006 405952 SendMessageW 4993->5006 5032 4044ce SendMessageW 4994->5032 4999 404500 8 API calls 4995->4999 5033 404472 4997->5033 5002 405930 4998->5002 5003 40593e 4998->5003 5009 405917 4999->5009 5004 4057e4 5000->5004 5005 4057c8 SendMessageW SendMessageW 5000->5005 5011 40559f 24 API calls 5002->5011 5012 404472 SendMessageW 5003->5012 5007 4057f7 5004->5007 5008 4057e9 SendMessageW 5004->5008 5005->5004 5006->5009 5010 40596b CreatePopupMenu 5006->5010 5014 404499 18 API calls 5007->5014 5008->5007 5013 40657a 17 API calls 5010->5013 5011->5003 5012->4993 5015 40597b AppendMenuW 5013->5015 5016 405807 5014->5016 5017 405998 GetWindowRect 5015->5017 5018 4059ab TrackPopupMenu 5015->5018 5019 405810 ShowWindow 5016->5019 5020 405844 GetDlgItem SendMessageW 5016->5020 5017->5018 5018->5009 5021 4059c6 5018->5021 5022 405833 5019->5022 5023 405826 ShowWindow 5019->5023 5020->5009 5024 40586b SendMessageW SendMessageW 5020->5024 5025 4059e2 SendMessageW 5021->5025 5031 4044ce SendMessageW 5022->5031 5023->5022 5024->5009 5025->5025 5026 4059ff OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 5025->5026 5028 405a24 SendMessageW 5026->5028 5028->5028 5029 405a4d GlobalUnlock SetClipboardData CloseClipboard 5028->5029 5029->5009 5030->4991 5031->5020 5032->4992 5034 404479 5033->5034 5035 40447f SendMessageW 5033->5035 5034->5035 5035->4995 5036 4028de 5037 4028e6 5036->5037 5038 4028ea FindNextFileW 5037->5038 5041 4028fc 5037->5041 5039 402943 5038->5039 5038->5041 5042 40653d lstrcpynW 5039->5042 5042->5041 5043 404ce0 5044 404cf0 5043->5044 5045 404d0c 5043->5045 5054 405b81 GetDlgItemTextW 5044->5054 5047 404d12 SHGetPathFromIDListW 5045->5047 5048 404d3f 5045->5048 5050 404d22 5047->5050 5053 404d29 SendMessageW 5047->5053 5049 404cfd SendMessageW 5049->5045 5051 40140b 2 API calls 5050->5051 5051->5053 5053->5048 5054->5049 5055 401563 5056 402ba4 5055->5056 5059 406484 wsprintfW 5056->5059 5058 402ba9 5059->5058 5060 401968 5061 402d84 17 API calls 5060->5061 5062 40196f 5061->5062 5063 402d84 17 API calls 5062->5063 5064 40197c 5063->5064 5065 402da6 17 API calls 5064->5065 5066 401993 lstrlenW 5065->5066 5068 4019a4 5066->5068 5067 4019e5 5068->5067 5072 40653d lstrcpynW 5068->5072 5070 4019d5 5070->5067 5071 4019da lstrlenW 5070->5071 5071->5067 5072->5070 5073 40166a 5074 402da6 17 API calls 5073->5074 5075 401670 5074->5075 5076 406873 2 API calls 5075->5076 5077 401676 5076->5077 5078 402aeb 5079 402d84 17 API calls 5078->5079 5080 402af1 5079->5080 5081 40657a 17 API calls 5080->5081 5082 40292e 5080->5082 5081->5082 5083 4026ec 5084 402d84 17 API calls 5083->5084 5085 4026fb 5084->5085 5086 402745 ReadFile 5085->5086 5087 4060b0 ReadFile 5085->5087 5088 402785 MultiByteToWideChar 5085->5088 5089 40283a 5085->5089 5092 4027ab SetFilePointer MultiByteToWideChar 5085->5092 5093 40284b 5085->5093 5095 402838 5085->5095 5096 40610e SetFilePointer 5085->5096 5086->5085 5086->5095 5087->5085 5088->5085 5105 406484 wsprintfW 5089->5105 5092->5085 5094 40286c SetFilePointer 5093->5094 5093->5095 5094->5095 5097 40612a 5096->5097 5104 406142 5096->5104 5098 4060b0 ReadFile 5097->5098 5099 406136 5098->5099 5100 406173 SetFilePointer 5099->5100 5101 40614b SetFilePointer 5099->5101 5099->5104 5100->5104 5101->5100 5102 406156 5101->5102 5103 4060df WriteFile 5102->5103 5103->5104 5104->5085 5105->5095 5106 7010103d 5107 7010101b 5 API calls 5106->5107 5108 70101056 5107->5108 4515 40176f 4516 402da6 17 API calls 4515->4516 4517 401776 4516->4517 4518 401796 4517->4518 4519 40179e 4517->4519 4554 40653d lstrcpynW 4518->4554 4555 40653d lstrcpynW 4519->4555 4522 40179c 4526 4067c4 5 API calls 4522->4526 4523 4017a9 4524 405e0c 3 API calls 4523->4524 4525 4017af lstrcatW 4524->4525 4525->4522 4543 4017bb 4526->4543 4527 406873 2 API calls 4527->4543 4528 406008 2 API calls 4528->4543 4530 4017cd CompareFileTime 4530->4543 4531 40188d 4533 40559f 24 API calls 4531->4533 4532 401864 4534 40559f 24 API calls 4532->4534 4551 401879 4532->4551 4536 401897 4533->4536 4534->4551 4535 40653d lstrcpynW 4535->4543 4537 4032b4 31 API calls 4536->4537 4538 4018aa 4537->4538 4539 4018be SetFileTime 4538->4539 4541 4018d0 CloseHandle 4538->4541 4539->4541 4540 40657a 17 API calls 4540->4543 4542 4018e1 4541->4542 4541->4551 4544 4018e6 4542->4544 4545 4018f9 4542->4545 4543->4527 4543->4528 4543->4530 4543->4531 4543->4532 4543->4535 4543->4540 4550 405b9d MessageBoxIndirectW 4543->4550 4553 40602d GetFileAttributesW CreateFileW 4543->4553 4546 40657a 17 API calls 4544->4546 4547 40657a 17 API calls 4545->4547 4548 4018ee lstrcatW 4546->4548 4549 401901 4547->4549 4548->4549 4549->4551 4552 405b9d MessageBoxIndirectW 4549->4552 4550->4543 4552->4551 4553->4543 4554->4522 4555->4523 5109 401a72 5110 402d84 17 API calls 5109->5110 5111 401a7b 5110->5111 5112 402d84 17 API calls 5111->5112 5113 401a20 5112->5113 5114 401573 5115 401583 ShowWindow 5114->5115 5116 40158c 5114->5116 5115->5116 5117 40159a ShowWindow 5116->5117 5118 402c2a 5116->5118 5117->5118 5119 4023f4 5120 402da6 17 API calls 5119->5120 5121 402403 5120->5121 5122 402da6 17 API calls 5121->5122 5123 40240c 5122->5123 5124 402da6 17 API calls 5123->5124 5125 402416 GetPrivateProfileStringW 5124->5125 5126 4014f5 SetForegroundWindow 5127 402c2a 5126->5127 5128 401ff6 5129 402da6 17 API calls 5128->5129 5130 401ffd 5129->5130 5131 406873 2 API calls 5130->5131 5132 402003 5131->5132 5134 402014 5132->5134 5135 406484 wsprintfW 5132->5135 5135->5134 5136 401b77 5137 402da6 17 API calls 5136->5137 5138 401b7e 5137->5138 5139 402d84 17 API calls 5138->5139 5140 401b87 wsprintfW 5139->5140 5141 402c2a 5140->5141 5142 40167b 5143 402da6 17 API calls 5142->5143 5144 401682 5143->5144 5145 402da6 17 API calls 5144->5145 5146 40168b 5145->5146 5147 402da6 17 API calls 5146->5147 5148 401694 MoveFileW 5147->5148 5149 4016a0 5148->5149 5150 4016a7 5148->5150 5152 401423 24 API calls 5149->5152 5151 406873 2 API calls 5150->5151 5154 4022f6 5150->5154 5153 4016b6 5151->5153 5152->5154 5153->5154 5155 4062fd 36 API calls 5153->5155 5155->5149 5156 4022ff 5157 402da6 17 API calls 5156->5157 5158 402305 5157->5158 5159 402da6 17 API calls 5158->5159 5160 40230e 5159->5160 5161 402da6 17 API calls 5160->5161 5162 402317 5161->5162 5163 406873 2 API calls 5162->5163 5164 402320 5163->5164 5165 402331 lstrlenW lstrlenW 5164->5165 5166 402324 5164->5166 5167 40559f 24 API calls 5165->5167 5168 40559f 24 API calls 5166->5168 5170 40232c 5166->5170 5169 40236f SHFileOperationW 5167->5169 5168->5170 5169->5166 5169->5170 5171 4019ff 5172 402da6 17 API calls 5171->5172 5173 401a06 5172->5173 5174 402da6 17 API calls 5173->5174 5175 401a0f 5174->5175 5176 401a16 lstrcmpiW 5175->5176 5177 401a28 lstrcmpW 5175->5177 5178 401a1c 5176->5178 5177->5178 5179 401000 5180 401037 BeginPaint GetClientRect 5179->5180 5181 40100c DefWindowProcW 5179->5181 5183 4010f3 5180->5183 5186 401179 5181->5186 5184 401073 CreateBrushIndirect FillRect DeleteObject 5183->5184 5185 4010fc 5183->5185 5184->5183 5187 401102 CreateFontIndirectW 5185->5187 5188 401167 EndPaint 5185->5188 5187->5188 5189 401112 6 API calls 5187->5189 5188->5186 5189->5188 5190 401d81 5191 401d94 GetDlgItem 5190->5191 5192 401d87 5190->5192 5194 401d8e 5191->5194 5193 402d84 17 API calls 5192->5193 5193->5194 5195 401dd5 GetClientRect LoadImageW SendMessageW 5194->5195 5196 402da6 17 API calls 5194->5196 5198 401e33 5195->5198 5200 401e3f 5195->5200 5196->5195 5199 401e38 DeleteObject 5198->5199 5198->5200 5199->5200 5201 401503 5202 40150b 5201->5202 5204 40151e 5201->5204 5203 402d84 17 API calls 5202->5203 5203->5204 5205 402383 5206 40238a 5205->5206 5208 40239d 5205->5208 5207 40657a 17 API calls 5206->5207 5209 402397 5207->5209 5209->5208 5210 405b9d MessageBoxIndirectW 5209->5210 5210->5208 5211 402c05 SendMessageW 5212 402c2a 5211->5212 5213 402c1f InvalidateRect 5211->5213 5213->5212 5214 404f06 GetDlgItem GetDlgItem 5215 404f58 7 API calls 5214->5215 5221 40517d 5214->5221 5216 404ff2 SendMessageW 5215->5216 5217 404fff DeleteObject 5215->5217 5216->5217 5218 405008 5217->5218 5219 40503f 5218->5219 5222 40657a 17 API calls 5218->5222 5223 404499 18 API calls 5219->5223 5220 40530b 5225 405315 SendMessageW 5220->5225 5226 40531d 5220->5226 5224 40525f 5221->5224 5248 4051ec 5221->5248 5268 404e54 SendMessageW 5221->5268 5227 405021 SendMessageW SendMessageW 5222->5227 5228 405053 5223->5228 5224->5220 5230 4052b8 SendMessageW 5224->5230 5257 405170 5224->5257 5225->5226 5236 405336 5226->5236 5237 40532f ImageList_Destroy 5226->5237 5241 405346 5226->5241 5227->5218 5229 404499 18 API calls 5228->5229 5249 405064 5229->5249 5234 4052cd SendMessageW 5230->5234 5230->5257 5231 405251 SendMessageW 5231->5224 5232 404500 8 API calls 5235 40550c 5232->5235 5239 4052e0 5234->5239 5236->5241 5242 40533f GlobalFree 5236->5242 5237->5236 5238 40513f GetWindowLongW SetWindowLongW 5244 405158 5238->5244 5251 4052f1 SendMessageW 5239->5251 5240 4054c0 5243 4054d2 ShowWindow GetDlgItem ShowWindow 5240->5243 5240->5257 5241->5240 5260 405381 5241->5260 5273 404ed4 5241->5273 5242->5241 5243->5257 5245 405175 5244->5245 5246 40515d ShowWindow 5244->5246 5267 4044ce SendMessageW 5245->5267 5266 4044ce SendMessageW 5246->5266 5248->5224 5248->5231 5249->5238 5250 4050b7 SendMessageW 5249->5250 5252 40513a 5249->5252 5254 4050f5 SendMessageW 5249->5254 5255 405109 SendMessageW 5249->5255 5250->5249 5251->5220 5252->5238 5252->5244 5254->5249 5255->5249 5257->5232 5258 40548b 5259 405496 InvalidateRect 5258->5259 5262 4054a2 5258->5262 5259->5262 5261 4053af SendMessageW 5260->5261 5265 4053c5 5260->5265 5261->5265 5262->5240 5282 404e0f 5262->5282 5264 405439 SendMessageW SendMessageW 5264->5265 5265->5258 5265->5264 5266->5257 5267->5221 5269 404eb3 SendMessageW 5268->5269 5270 404e77 GetMessagePos ScreenToClient SendMessageW 5268->5270 5272 404eab 5269->5272 5271 404eb0 5270->5271 5270->5272 5271->5269 5272->5248 5285 40653d lstrcpynW 5273->5285 5275 404ee7 5286 406484 wsprintfW 5275->5286 5277 404ef1 5278 40140b 2 API calls 5277->5278 5279 404efa 5278->5279 5287 40653d lstrcpynW 5279->5287 5281 404f01 5281->5260 5288 404d46 5282->5288 5284 404e24 5284->5240 5285->5275 5286->5277 5287->5281 5289 404d5f 5288->5289 5290 40657a 17 API calls 5289->5290 5291 404dc3 5290->5291 5292 40657a 17 API calls 5291->5292 5293 404dce 5292->5293 5294 40657a 17 API calls 5293->5294 5295 404de4 lstrlenW wsprintfW SetDlgItemTextW 5294->5295 5295->5284 5296 70101058 5298 70101074 5296->5298 5297 701010dd 5298->5297 5299 701015b6 GlobalFree 5298->5299 5300 70101092 5298->5300 5299->5300 5301 701015b6 GlobalFree 5300->5301 5302 701010a2 5301->5302 5303 701010b2 5302->5303 5304 701010a9 GlobalSize 5302->5304 5305 701010b6 GlobalAlloc 5303->5305 5306 701010c7 5303->5306 5304->5303 5307 701015dd 3 API calls 5305->5307 5308 701010d2 GlobalFree 5306->5308 5307->5306 5308->5297 4183 401389 4185 401390 4183->4185 4184 4013fe 4185->4184 4186 4013cb MulDiv SendMessageW 4185->4186 4186->4185 5309 404609 lstrlenW 5310 404628 5309->5310 5311 40462a WideCharToMultiByte 5309->5311 5310->5311 4187 40248a 4188 402da6 17 API calls 4187->4188 4189 40249c 4188->4189 4190 402da6 17 API calls 4189->4190 4191 4024a6 4190->4191 4204 402e36 4191->4204 4194 402c2a 4195 4024de 4197 4024ea 4195->4197 4208 402d84 4195->4208 4196 402da6 17 API calls 4198 4024d4 lstrlenW 4196->4198 4200 402509 RegSetValueExW 4197->4200 4211 4032b4 4197->4211 4198->4195 4202 40251f RegCloseKey 4200->4202 4202->4194 4205 402e51 4204->4205 4231 4063d8 4205->4231 4209 40657a 17 API calls 4208->4209 4210 402d99 4209->4210 4210->4197 4212 4032cd 4211->4212 4213 4032fb 4212->4213 4238 4034e5 SetFilePointer 4212->4238 4235 4034cf 4213->4235 4217 403468 4219 4034aa 4217->4219 4220 40346c 4217->4220 4218 403318 GetTickCount 4223 403452 4218->4223 4228 403367 4218->4228 4222 4034cf ReadFile 4219->4222 4220->4223 4224 4034cf ReadFile 4220->4224 4225 4060df WriteFile 4220->4225 4221 4034cf ReadFile 4221->4228 4222->4223 4223->4200 4224->4220 4225->4220 4226 4033bd GetTickCount 4226->4228 4227 4033e2 MulDiv wsprintfW 4229 40559f 24 API calls 4227->4229 4228->4221 4228->4223 4228->4226 4228->4227 4230 4060df WriteFile 4228->4230 4229->4228 4230->4228 4232 4063e7 4231->4232 4233 4063f2 RegCreateKeyExW 4232->4233 4234 4024b6 4232->4234 4233->4234 4234->4194 4234->4195 4234->4196 4236 4060b0 ReadFile 4235->4236 4237 403306 4236->4237 4237->4217 4237->4218 4237->4223 4238->4213 5312 40498a 5313 4049b6 5312->5313 5314 4049c7 5312->5314 5373 405b81 GetDlgItemTextW 5313->5373 5315 4049d3 GetDlgItem 5314->5315 5319 404a32 5314->5319 5318 4049e7 5315->5318 5317 4049c1 5321 4067c4 5 API calls 5317->5321 5322 4049fb SetWindowTextW 5318->5322 5325 405eb7 4 API calls 5318->5325 5320 404b16 5319->5320 5327 40657a 17 API calls 5319->5327 5371 404cc5 5319->5371 5320->5371 5375 405b81 GetDlgItemTextW 5320->5375 5321->5314 5326 404499 18 API calls 5322->5326 5324 404500 8 API calls 5329 404cd9 5324->5329 5330 4049f1 5325->5330 5331 404a17 5326->5331 5332 404aa6 SHBrowseForFolderW 5327->5332 5328 404b46 5333 405f14 18 API calls 5328->5333 5330->5322 5337 405e0c 3 API calls 5330->5337 5334 404499 18 API calls 5331->5334 5332->5320 5335 404abe CoTaskMemFree 5332->5335 5336 404b4c 5333->5336 5338 404a25 5334->5338 5339 405e0c 3 API calls 5335->5339 5376 40653d lstrcpynW 5336->5376 5337->5322 5374 4044ce SendMessageW 5338->5374 5344 404acb 5339->5344 5342 404a2b 5346 40690a 5 API calls 5342->5346 5343 404b02 SetDlgItemTextW 5343->5320 5344->5343 5348 40657a 17 API calls 5344->5348 5345 404b63 5347 40690a 5 API calls 5345->5347 5346->5319 5355 404b6a 5347->5355 5349 404aea lstrcmpiW 5348->5349 5349->5343 5351 404afb lstrcatW 5349->5351 5350 404bab 5377 40653d lstrcpynW 5350->5377 5351->5343 5353 404bb2 5354 405eb7 4 API calls 5353->5354 5356 404bb8 GetDiskFreeSpaceW 5354->5356 5355->5350 5359 405e58 2 API calls 5355->5359 5361 404c03 5355->5361 5358 404bdc MulDiv 5356->5358 5356->5361 5358->5361 5359->5355 5360 404c74 5363 404c97 5360->5363 5365 40140b 2 API calls 5360->5365 5361->5360 5362 404e0f 20 API calls 5361->5362 5364 404c61 5362->5364 5378 4044bb EnableWindow 5363->5378 5366 404c76 SetDlgItemTextW 5364->5366 5367 404c66 5364->5367 5365->5363 5366->5360 5369 404d46 20 API calls 5367->5369 5369->5360 5370 404cb3 5370->5371 5372 4048e3 SendMessageW 5370->5372 5371->5324 5372->5371 5373->5317 5374->5342 5375->5328 5376->5345 5377->5353 5378->5370 5379 40290b 5380 402da6 17 API calls 5379->5380 5381 402912 FindFirstFileW 5380->5381 5382 40293a 5381->5382 5386 402925 5381->5386 5383 402943 5382->5383 5387 406484 wsprintfW 5382->5387 5388 40653d lstrcpynW 5383->5388 5387->5383 5388->5386 5389 40190c 5390 401943 5389->5390 5391 402da6 17 API calls 5390->5391 5392 401948 5391->5392 5393 405c49 67 API calls 5392->5393 5394 401951 5393->5394 5395 40190f 5396 402da6 17 API calls 5395->5396 5397 401916 5396->5397 5398 405b9d MessageBoxIndirectW 5397->5398 5399 40191f 5398->5399 5400 401491 5401 40559f 24 API calls 5400->5401 5402 401498 5401->5402 5403 402891 5404 402898 5403->5404 5410 402ba9 5403->5410 5405 402d84 17 API calls 5404->5405 5406 40289f 5405->5406 5407 4028ae SetFilePointer 5406->5407 5408 4028be 5407->5408 5407->5410 5411 406484 wsprintfW 5408->5411 5411->5410 5412 401f12 5413 402da6 17 API calls 5412->5413 5414 401f18 5413->5414 5415 402da6 17 API calls 5414->5415 5416 401f21 5415->5416 5417 402da6 17 API calls 5416->5417 5418 401f2a 5417->5418 5419 402da6 17 API calls 5418->5419 5420 401f33 5419->5420 5421 401423 24 API calls 5420->5421 5422 401f3a 5421->5422 5429 405b63 ShellExecuteExW 5422->5429 5424 401f82 5425 4069b5 5 API calls 5424->5425 5427 40292e 5424->5427 5426 401f9f CloseHandle 5425->5426 5426->5427 5429->5424 5430 70102d43 5431 70102d5b 5430->5431 5432 7010162f 2 API calls 5431->5432 5433 70102d76 5432->5433 5434 405513 5435 405523 5434->5435 5436 405537 5434->5436 5437 405529 5435->5437 5446 405580 5435->5446 5438 40553f IsWindowVisible 5436->5438 5444 405556 5436->5444 5440 4044e5 SendMessageW 5437->5440 5441 40554c 5438->5441 5438->5446 5439 405585 CallWindowProcW 5442 405533 5439->5442 5440->5442 5443 404e54 5 API calls 5441->5443 5443->5444 5444->5439 5445 404ed4 4 API calls 5444->5445 5445->5446 5446->5439 5447 402f93 5448 402fa5 SetTimer 5447->5448 5449 402fbe 5447->5449 5448->5449 5450 403013 5449->5450 5451 402fd8 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 5449->5451 5451->5450 5452 401d17 5453 402d84 17 API calls 5452->5453 5454 401d1d IsWindow 5453->5454 5455 401a20 5454->5455 5456 403f9a 5457 403fb2 5456->5457 5458 404113 5456->5458 5457->5458 5459 403fbe 5457->5459 5460 404164 5458->5460 5461 404124 GetDlgItem GetDlgItem 5458->5461 5462 403fc9 SetWindowPos 5459->5462 5463 403fdc 5459->5463 5465 4041be 5460->5465 5474 401389 2 API calls 5460->5474 5464 404499 18 API calls 5461->5464 5462->5463 5467 403fe5 ShowWindow 5463->5467 5468 404027 5463->5468 5469 40414e SetClassLongW 5464->5469 5466 4044e5 SendMessageW 5465->5466 5480 40410e 5465->5480 5517 4041d0 5466->5517 5470 404005 GetWindowLongW 5467->5470 5495 4040d1 5467->5495 5471 404046 5468->5471 5472 40402f DestroyWindow 5468->5472 5473 40140b 2 API calls 5469->5473 5476 40401e ShowWindow 5470->5476 5470->5495 5477 40404b SetWindowLongW 5471->5477 5478 40405c 5471->5478 5526 404422 5472->5526 5473->5460 5479 404196 5474->5479 5475 404500 8 API calls 5475->5480 5476->5468 5477->5480 5483 404068 GetDlgItem 5478->5483 5478->5495 5479->5465 5484 40419a SendMessageW 5479->5484 5481 40140b 2 API calls 5481->5517 5482 404424 DestroyWindow EndDialog 5482->5526 5486 404079 SendMessageW IsWindowEnabled 5483->5486 5488 404096 5483->5488 5484->5480 5485 404453 ShowWindow 5485->5480 5486->5480 5486->5488 5487 40657a 17 API calls 5487->5517 5489 4040a3 5488->5489 5490 4040ea SendMessageW 5488->5490 5491 4040b6 5488->5491 5499 40409b 5488->5499 5489->5490 5489->5499 5490->5495 5493 4040d3 5491->5493 5494 4040be 5491->5494 5492 404472 SendMessageW 5492->5495 5497 40140b 2 API calls 5493->5497 5496 40140b 2 API calls 5494->5496 5495->5475 5496->5499 5497->5499 5498 404499 18 API calls 5498->5517 5499->5492 5499->5495 5500 404499 18 API calls 5501 40424b GetDlgItem 5500->5501 5502 404260 5501->5502 5503 404268 ShowWindow EnableWindow 5501->5503 5502->5503 5527 4044bb EnableWindow 5503->5527 5505 404292 EnableWindow 5510 4042a6 5505->5510 5506 4042ab GetSystemMenu EnableMenuItem SendMessageW 5507 4042db SendMessageW 5506->5507 5506->5510 5507->5510 5509 403f7b 18 API calls 5509->5510 5510->5506 5510->5509 5528 4044ce SendMessageW 5510->5528 5529 40653d lstrcpynW 5510->5529 5512 40430a lstrlenW 5513 40657a 17 API calls 5512->5513 5514 404320 SetWindowTextW 5513->5514 5515 401389 2 API calls 5514->5515 5515->5517 5516 404364 DestroyWindow 5518 40437e CreateDialogParamW 5516->5518 5516->5526 5517->5480 5517->5481 5517->5482 5517->5487 5517->5498 5517->5500 5517->5516 5519 4043b1 5518->5519 5518->5526 5520 404499 18 API calls 5519->5520 5521 4043bc GetDlgItem GetWindowRect ScreenToClient SetWindowPos 5520->5521 5522 401389 2 API calls 5521->5522 5523 404402 5522->5523 5523->5480 5524 40440a ShowWindow 5523->5524 5525 4044e5 SendMessageW 5524->5525 5525->5526 5526->5480 5526->5485 5527->5505 5528->5510 5529->5512 5530 401b9b 5531 401bec 5530->5531 5533 401ba8 5530->5533 5532 401c16 GlobalAlloc 5531->5532 5535 401bf1 5531->5535 5537 40657a 17 API calls 5532->5537 5534 401c31 5533->5534 5540 401bbf 5533->5540 5536 40657a 17 API calls 5534->5536 5544 40239d 5534->5544 5535->5544 5551 40653d lstrcpynW 5535->5551 5539 402397 5536->5539 5537->5534 5539->5544 5545 405b9d MessageBoxIndirectW 5539->5545 5549 40653d lstrcpynW 5540->5549 5541 401c03 GlobalFree 5541->5544 5543 401bce 5550 40653d lstrcpynW 5543->5550 5545->5544 5547 401bdd 5552 40653d lstrcpynW 5547->5552 5549->5543 5550->5547 5551->5541 5552->5544 5553 40261c 5554 402da6 17 API calls 5553->5554 5555 402623 5554->5555 5558 40602d GetFileAttributesW CreateFileW 5555->5558 5557 40262f 5558->5557 5559 40149e 5560 4014ac PostQuitMessage 5559->5560 5561 40239d 5559->5561 5560->5561 5562 40259e 5563 402de6 17 API calls 5562->5563 5564 4025a8 5563->5564 5565 402d84 17 API calls 5564->5565 5566 4025b1 5565->5566 5567 4025d9 RegEnumValueW 5566->5567 5568 4025cd RegEnumKeyW 5566->5568 5570 40292e 5566->5570 5569 4025ee RegCloseKey 5567->5569 5568->5569 5569->5570 5572 4015a3 5573 402da6 17 API calls 5572->5573 5574 4015aa SetFileAttributesW 5573->5574 5575 4015bc 5574->5575 4155 401fa4 4156 402da6 17 API calls 4155->4156 4157 401faa 4156->4157 4158 40559f 24 API calls 4157->4158 4159 401fb4 4158->4159 4170 405b20 CreateProcessW 4159->4170 4162 401fdd CloseHandle 4166 40292e 4162->4166 4165 401fcf 4167 401fd4 4165->4167 4168 401fdf 4165->4168 4178 406484 wsprintfW 4167->4178 4168->4162 4171 405b53 CloseHandle 4170->4171 4172 401fba 4170->4172 4171->4172 4172->4162 4172->4166 4173 4069b5 WaitForSingleObject 4172->4173 4174 4069cf 4173->4174 4175 4069e1 GetExitCodeProcess 4174->4175 4179 406946 4174->4179 4175->4165 4178->4162 4180 406963 PeekMessageW 4179->4180 4181 406973 WaitForSingleObject 4180->4181 4182 406959 DispatchMessageW 4180->4182 4181->4174 4182->4180 5576 70101774 5577 701017a3 5576->5577 5578 70101bff 22 API calls 5577->5578 5579 701017aa 5578->5579 5580 701017b1 5579->5580 5581 701017bd 5579->5581 5584 70101312 2 API calls 5580->5584 5582 701017e4 5581->5582 5583 701017c7 5581->5583 5586 701017ea 5582->5586 5587 7010180e 5582->5587 5585 701015dd 3 API calls 5583->5585 5588 701017bb 5584->5588 5589 701017cc 5585->5589 5590 70101654 3 API calls 5586->5590 5591 701015dd 3 API calls 5587->5591 5592 70101654 3 API calls 5589->5592 5593 701017ef 5590->5593 5591->5588 5594 701017d2 5592->5594 5595 70101312 2 API calls 5593->5595 5596 70101312 2 API calls 5594->5596 5597 701017f5 GlobalFree 5595->5597 5598 701017d8 GlobalFree 5596->5598 5597->5588 5599 70101809 GlobalFree 5597->5599 5598->5588 5599->5588 5600 70101979 5601 7010199c 5600->5601 5602 701019d1 GlobalFree 5601->5602 5603 701019e3 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __allrem 5601->5603 5602->5603 5604 70101312 2 API calls 5603->5604 5605 70101b6e GlobalFree GlobalFree 5604->5605 4239 40252a 4250 402de6 4239->4250 4242 402da6 17 API calls 4243 40253d 4242->4243 4244 402548 RegQueryValueExW 4243->4244 4249 40292e 4243->4249 4245 40256e RegCloseKey 4244->4245 4246 402568 4244->4246 4245->4249 4246->4245 4255 406484 wsprintfW 4246->4255 4251 402da6 17 API calls 4250->4251 4252 402dfd 4251->4252 4253 4063aa RegOpenKeyExW 4252->4253 4254 402534 4253->4254 4254->4242 4255->4245 5606 40202a 5607 402da6 17 API calls 5606->5607 5608 402031 5607->5608 5609 40690a 5 API calls 5608->5609 5610 402040 5609->5610 5611 4020cc 5610->5611 5612 40205c GlobalAlloc 5610->5612 5612->5611 5613 402070 5612->5613 5614 40690a 5 API calls 5613->5614 5615 402077 5614->5615 5616 40690a 5 API calls 5615->5616 5617 402081 5616->5617 5617->5611 5621 406484 wsprintfW 5617->5621 5619 4020ba 5622 406484 wsprintfW 5619->5622 5621->5619 5622->5611 5623 4021aa 5624 402da6 17 API calls 5623->5624 5625 4021b1 5624->5625 5626 402da6 17 API calls 5625->5626 5627 4021bb 5626->5627 5628 402da6 17 API calls 5627->5628 5629 4021c5 5628->5629 5630 402da6 17 API calls 5629->5630 5631 4021cf 5630->5631 5632 402da6 17 API calls 5631->5632 5633 4021d9 5632->5633 5634 402218 CoCreateInstance 5633->5634 5635 402da6 17 API calls 5633->5635 5638 402237 5634->5638 5635->5634 5636 401423 24 API calls 5637 4022f6 5636->5637 5638->5636 5638->5637 5639 403baa 5640 403bb5 5639->5640 5641 403bb9 5640->5641 5642 403bbc GlobalAlloc 5640->5642 5642->5641 4256 40352d SetErrorMode GetVersionExW 4257 4035b7 4256->4257 4258 40357f GetVersionExW 4256->4258 4259 403610 4257->4259 4260 40690a 5 API calls 4257->4260 4258->4257 4261 40689a 3 API calls 4259->4261 4260->4259 4262 403626 lstrlenA 4261->4262 4262->4259 4263 403636 4262->4263 4264 40690a 5 API calls 4263->4264 4265 40363d 4264->4265 4266 40690a 5 API calls 4265->4266 4267 403644 4266->4267 4268 40690a 5 API calls 4267->4268 4269 403650 #17 OleInitialize SHGetFileInfoW 4268->4269 4347 40653d lstrcpynW 4269->4347 4272 40369d GetCommandLineW 4348 40653d lstrcpynW 4272->4348 4274 4036af 4275 405e39 CharNextW 4274->4275 4276 4036d5 CharNextW 4275->4276 4288 4036e6 4276->4288 4277 4037e4 4278 4037f8 GetTempPathW 4277->4278 4349 4034fc 4278->4349 4280 403810 4282 403814 GetWindowsDirectoryW lstrcatW 4280->4282 4283 40386a DeleteFileW 4280->4283 4281 405e39 CharNextW 4281->4288 4284 4034fc 12 API calls 4282->4284 4359 40307d GetTickCount GetModuleFileNameW 4283->4359 4286 403830 4284->4286 4286->4283 4289 403834 GetTempPathW lstrcatW SetEnvironmentVariableW SetEnvironmentVariableW 4286->4289 4287 40387d 4296 405e39 CharNextW 4287->4296 4319 403941 4287->4319 4332 403932 4287->4332 4288->4277 4288->4281 4290 4037e6 4288->4290 4291 4034fc 12 API calls 4289->4291 4444 40653d lstrcpynW 4290->4444 4295 403862 4291->4295 4295->4283 4295->4319 4312 40389f 4296->4312 4298 403a69 4456 405b9d 4298->4456 4299 403a7e 4301 403a86 GetCurrentProcess OpenProcessToken 4299->4301 4302 403afc ExitProcess 4299->4302 4307 403acc 4301->4307 4308 403a9d LookupPrivilegeValueW AdjustTokenPrivileges 4301->4308 4304 403908 4309 405f14 18 API calls 4304->4309 4305 403949 4311 405b08 5 API calls 4305->4311 4310 40690a 5 API calls 4307->4310 4308->4307 4313 403914 4309->4313 4318 403ad3 4310->4318 4314 40394e lstrcatW 4311->4314 4312->4304 4312->4305 4313->4319 4445 40653d lstrcpynW 4313->4445 4315 40396a lstrcatW lstrcmpiW 4314->4315 4316 40395f lstrcatW 4314->4316 4315->4319 4320 40398a 4315->4320 4316->4315 4317 403ae8 ExitWindowsEx 4317->4302 4322 403af5 4317->4322 4318->4317 4318->4322 4449 403b12 4319->4449 4323 403996 4320->4323 4324 40398f 4320->4324 4460 40140b 4322->4460 4328 405aeb 2 API calls 4323->4328 4327 405a6e 4 API calls 4324->4327 4325 403927 4446 40653d lstrcpynW 4325->4446 4330 403994 4327->4330 4331 40399b SetCurrentDirectoryW 4328->4331 4330->4331 4333 4039b8 4331->4333 4334 4039ad 4331->4334 4387 403bec 4332->4387 4448 40653d lstrcpynW 4333->4448 4447 40653d lstrcpynW 4334->4447 4337 40657a 17 API calls 4338 4039fa DeleteFileW 4337->4338 4339 403a06 CopyFileW 4338->4339 4344 4039c5 4338->4344 4339->4344 4340 403a50 4342 4062fd 36 API calls 4340->4342 4341 4062fd 36 API calls 4341->4344 4342->4319 4343 40657a 17 API calls 4343->4344 4344->4337 4344->4340 4344->4341 4344->4343 4345 405b20 2 API calls 4344->4345 4346 403a3a CloseHandle 4344->4346 4345->4344 4346->4344 4347->4272 4348->4274 4350 4067c4 5 API calls 4349->4350 4352 403508 4350->4352 4351 403512 4351->4280 4352->4351 4353 405e0c 3 API calls 4352->4353 4354 40351a 4353->4354 4355 405aeb 2 API calls 4354->4355 4356 403520 4355->4356 4463 40605c 4356->4463 4467 40602d GetFileAttributesW CreateFileW 4359->4467 4361 4030bd 4380 4030cd 4361->4380 4468 40653d lstrcpynW 4361->4468 4363 4030e3 4364 405e58 2 API calls 4363->4364 4365 4030e9 4364->4365 4469 40653d lstrcpynW 4365->4469 4367 4030f4 GetFileSize 4368 4031ee 4367->4368 4386 40310b 4367->4386 4470 403019 4368->4470 4370 4031f7 4372 403227 GlobalAlloc 4370->4372 4370->4380 4482 4034e5 SetFilePointer 4370->4482 4371 4034cf ReadFile 4371->4386 4481 4034e5 SetFilePointer 4372->4481 4373 40325a 4377 403019 6 API calls 4373->4377 4376 403242 4379 4032b4 31 API calls 4376->4379 4377->4380 4378 403210 4381 4034cf ReadFile 4378->4381 4384 40324e 4379->4384 4380->4287 4383 40321b 4381->4383 4382 403019 6 API calls 4382->4386 4383->4372 4383->4380 4384->4380 4384->4384 4385 40328b SetFilePointer 4384->4385 4385->4380 4386->4368 4386->4371 4386->4373 4386->4380 4386->4382 4388 40690a 5 API calls 4387->4388 4389 403c00 4388->4389 4390 403c06 4389->4390 4391 403c18 4389->4391 4491 406484 wsprintfW 4390->4491 4392 40640b 3 API calls 4391->4392 4393 403c48 4392->4393 4394 403c67 lstrcatW 4393->4394 4396 40640b 3 API calls 4393->4396 4397 403c16 4394->4397 4396->4394 4483 403ec2 4397->4483 4400 405f14 18 API calls 4401 403c99 4400->4401 4402 403d2d 4401->4402 4404 40640b 3 API calls 4401->4404 4403 405f14 18 API calls 4402->4403 4406 403d33 4403->4406 4410 403ccb 4404->4410 4405 403d43 LoadImageW 4408 403de9 4405->4408 4409 403d6a RegisterClassW 4405->4409 4406->4405 4407 40657a 17 API calls 4406->4407 4407->4405 4412 40140b 2 API calls 4408->4412 4411 403da0 SystemParametersInfoW CreateWindowExW 4409->4411 4443 403df3 4409->4443 4410->4402 4413 403cec lstrlenW 4410->4413 4414 405e39 CharNextW 4410->4414 4411->4408 4417 403def 4412->4417 4415 403d20 4413->4415 4416 403cfa lstrcmpiW 4413->4416 4418 403ce9 4414->4418 4420 405e0c 3 API calls 4415->4420 4416->4415 4419 403d0a GetFileAttributesW 4416->4419 4422 403ec2 18 API calls 4417->4422 4417->4443 4418->4413 4421 403d16 4419->4421 4423 403d26 4420->4423 4421->4415 4424 405e58 2 API calls 4421->4424 4425 403e00 4422->4425 4492 40653d lstrcpynW 4423->4492 4424->4415 4427 403e0c ShowWindow 4425->4427 4428 403e8f 4425->4428 4430 40689a 3 API calls 4427->4430 4493 405672 OleInitialize 4428->4493 4432 403e24 4430->4432 4431 403e95 4433 403eb1 4431->4433 4434 403e99 4431->4434 4435 403e32 GetClassInfoW 4432->4435 4439 40689a 3 API calls 4432->4439 4438 40140b 2 API calls 4433->4438 4441 40140b 2 API calls 4434->4441 4434->4443 4436 403e46 GetClassInfoW RegisterClassW 4435->4436 4437 403e5c DialogBoxParamW 4435->4437 4436->4437 4440 40140b 2 API calls 4437->4440 4438->4443 4439->4435 4442 403e84 4440->4442 4441->4443 4442->4443 4443->4319 4444->4278 4445->4325 4446->4332 4447->4333 4448->4344 4450 403b2a 4449->4450 4451 403b1c CloseHandle 4449->4451 4511 403b57 4450->4511 4451->4450 4454 405c49 67 API calls 4455 403a5e OleUninitialize 4454->4455 4455->4298 4455->4299 4457 405bb2 4456->4457 4458 405bc6 MessageBoxIndirectW 4457->4458 4459 403a76 ExitProcess 4457->4459 4458->4459 4461 401389 2 API calls 4460->4461 4462 401420 4461->4462 4462->4302 4464 406069 GetTickCount GetTempFileNameW 4463->4464 4465 40352b 4464->4465 4466 40609f 4464->4466 4465->4280 4466->4464 4466->4465 4467->4361 4468->4363 4469->4367 4471 403022 4470->4471 4472 40303a 4470->4472 4473 403032 4471->4473 4474 40302b DestroyWindow 4471->4474 4475 403042 4472->4475 4476 40304a GetTickCount 4472->4476 4473->4370 4474->4473 4477 406946 2 API calls 4475->4477 4478 403058 CreateDialogParamW ShowWindow 4476->4478 4479 40307b 4476->4479 4480 403048 4477->4480 4478->4479 4479->4370 4480->4370 4481->4376 4482->4378 4484 403ed6 4483->4484 4500 406484 wsprintfW 4484->4500 4486 403f47 4501 403f7b 4486->4501 4488 403c77 4488->4400 4489 403f4c 4489->4488 4490 40657a 17 API calls 4489->4490 4490->4489 4491->4397 4492->4402 4504 4044e5 4493->4504 4495 405695 4499 4056bc 4495->4499 4507 401389 4495->4507 4496 4044e5 SendMessageW 4497 4056ce OleUninitialize 4496->4497 4497->4431 4499->4496 4500->4486 4502 40657a 17 API calls 4501->4502 4503 403f89 SetWindowTextW 4502->4503 4503->4489 4505 4044fd 4504->4505 4506 4044ee SendMessageW 4504->4506 4505->4495 4506->4505 4509 401390 4507->4509 4508 4013fe 4508->4495 4509->4508 4510 4013cb MulDiv SendMessageW 4509->4510 4510->4509 4512 403b65 4511->4512 4513 403b2f 4512->4513 4514 403b6a FreeLibrary GlobalFree 4512->4514 4513->4454 4514->4513 4514->4514 4556 70102a7f 4557 70102acf 4556->4557 4558 70102a8f VirtualProtect 4556->4558 4558->4557 5643 401a30 5644 402da6 17 API calls 5643->5644 5645 401a39 ExpandEnvironmentStringsW 5644->5645 5646 401a4d 5645->5646 5648 401a60 5645->5648 5647 401a52 lstrcmpW 5646->5647 5646->5648 5647->5648 5649 701010e1 5658 70101111 5649->5658 5650 701012b0 GlobalFree 5651 701011d7 GlobalAlloc 5651->5658 5652 70101240 GlobalFree 5652->5658 5653 7010135a 2 API calls 5653->5658 5654 701012ab 5654->5650 5655 70101312 2 API calls 5655->5658 5656 7010129a GlobalFree 5656->5658 5657 70101381 lstrcpyW 5657->5658 5658->5650 5658->5651 5658->5652 5658->5653 5658->5654 5658->5655 5658->5656 5658->5657 5659 7010116b GlobalAlloc 5658->5659 5659->5658 5665 4023b2 5666 4023ba 5665->5666 5669 4023c0 5665->5669 5667 402da6 17 API calls 5666->5667 5667->5669 5668 4023dc 5672 402da6 17 API calls 5668->5672 5670 402da6 17 API calls 5669->5670 5673 4023ce 5669->5673 5670->5673 5671 402da6 17 API calls 5671->5668 5674 4023e5 WritePrivateProfileStringW 5672->5674 5673->5668 5673->5671 4559 402434 4560 402467 4559->4560 4561 40243c 4559->4561 4563 402da6 17 API calls 4560->4563 4562 402de6 17 API calls 4561->4562 4564 402443 4562->4564 4565 40246e 4563->4565 4567 402da6 17 API calls 4564->4567 4569 40247b 4564->4569 4570 402e64 4565->4570 4568 402454 RegDeleteValueW RegCloseKey 4567->4568 4568->4569 4571 402e78 4570->4571 4572 402e71 4570->4572 4571->4572 4574 402ea9 4571->4574 4572->4569 4575 4063aa RegOpenKeyExW 4574->4575 4576 402ed7 4575->4576 4577 402ee1 4576->4577 4578 402f8c 4576->4578 4579 402ee7 RegEnumValueW 4577->4579 4588 402f0a 4577->4588 4578->4572 4580 402f71 RegCloseKey 4579->4580 4579->4588 4580->4578 4581 402f46 RegEnumKeyW 4582 402f4f RegCloseKey 4581->4582 4581->4588 4583 40690a 5 API calls 4582->4583 4584 402f5f 4583->4584 4586 402f81 4584->4586 4587 402f63 RegDeleteKeyW 4584->4587 4585 402ea9 6 API calls 4585->4588 4586->4578 4587->4578 4588->4580 4588->4581 4588->4582 4588->4585 5675 401735 5676 402da6 17 API calls 5675->5676 5677 40173c SearchPathW 5676->5677 5678 401757 5677->5678 5679 4014b8 5680 4014be 5679->5680 5681 401389 2 API calls 5680->5681 5682 4014c6 5681->5682 5683 401d38 5684 402d84 17 API calls 5683->5684 5685 401d3f 5684->5685 5686 402d84 17 API calls 5685->5686 5687 401d4b GetDlgItem 5686->5687 5688 402638 5687->5688 5689 701023e9 5690 70102453 5689->5690 5691 7010245e GlobalAlloc 5690->5691 5692 7010247d 5690->5692 5691->5690 5693 40263e 5694 402652 5693->5694 5695 40266d 5693->5695 5696 402d84 17 API calls 5694->5696 5697 402672 5695->5697 5698 40269d 5695->5698 5704 402659 5696->5704 5699 402da6 17 API calls 5697->5699 5700 402da6 17 API calls 5698->5700 5701 402679 5699->5701 5702 4026a4 lstrlenW 5700->5702 5710 40655f WideCharToMultiByte 5701->5710 5702->5704 5706 4026e7 5704->5706 5708 40610e 5 API calls 5704->5708 5709 4026d1 5704->5709 5705 40268d lstrlenA 5705->5704 5707 4060df WriteFile 5707->5706 5708->5709 5709->5706 5709->5707 5710->5705

                                                                                                                                                                                    Executed Functions

                                                                                                                                                                                    Function 0040352D Relevance: 84.4, APIs: 33, Strings: 15, Instructions: 450stringfilecomCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 0 40352d-40357d SetErrorMode GetVersionExW 1 4035b7-4035be 0->1 2 40357f-4035b3 GetVersionExW 0->2 3 4035c0 1->3 4 4035c8-403608 1->4 2->1 3->4 5 40360a-403612 call 40690a 4->5 6 40361b 4->6 5->6 11 403614 5->11 8 403620-403634 call 40689a lstrlenA 6->8 13 403636-403652 call 40690a * 3 8->13 11->6 20 403663-4036c5 #17 OleInitialize SHGetFileInfoW call 40653d GetCommandLineW call 40653d 13->20 21 403654-40365a 13->21 28 4036c7-4036c9 20->28 29 4036ce-4036e1 call 405e39 CharNextW 20->29 21->20 25 40365c 21->25 25->20 28->29 32 4037d8-4037de 29->32 33 4037e4 32->33 34 4036e6-4036ec 32->34 37 4037f8-403812 GetTempPathW call 4034fc 33->37 35 4036f5-4036fb 34->35 36 4036ee-4036f3 34->36 38 403702-403706 35->38 39 4036fd-403701 35->39 36->35 36->36 47 403814-403832 GetWindowsDirectoryW lstrcatW call 4034fc 37->47 48 40386a-403882 DeleteFileW call 40307d 37->48 41 4037c6-4037d4 call 405e39 38->41 42 40370c-403712 38->42 39->38 41->32 59 4037d6-4037d7 41->59 45 403714-40371b 42->45 46 40372c-403765 42->46 52 403722 45->52 53 40371d-403720 45->53 54 403781-4037bb 46->54 55 403767-40376c 46->55 47->48 62 403834-403864 GetTempPathW lstrcatW SetEnvironmentVariableW * 2 call 4034fc 47->62 64 403888-40388e 48->64 65 403a59-403a67 call 403b12 OleUninitialize 48->65 52->46 53->46 53->52 57 4037c3-4037c5 54->57 58 4037bd-4037c1 54->58 55->54 61 40376e-403776 55->61 57->41 58->57 63 4037e6-4037f3 call 40653d 58->63 59->32 66 403778-40377b 61->66 67 40377d 61->67 62->48 62->65 63->37 69 403894-4038a7 call 405e39 64->69 70 403935-40393c call 403bec 64->70 77 403a69-403a78 call 405b9d ExitProcess 65->77 78 403a7e-403a84 65->78 66->54 66->67 67->54 84 4038f9-403906 69->84 85 4038a9-4038de 69->85 80 403941-403944 70->80 82 403a86-403a9b GetCurrentProcess OpenProcessToken 78->82 83 403afc-403b04 78->83 80->65 91 403acc-403ada call 40690a 82->91 92 403a9d-403ac6 LookupPrivilegeValueW AdjustTokenPrivileges 82->92 86 403b06 83->86 87 403b09-403b0c ExitProcess 83->87 88 403908-403916 call 405f14 84->88 89 403949-40395d call 405b08 lstrcatW 84->89 93 4038e0-4038e4 85->93 86->87 88->65 105 40391c-403932 call 40653d * 2 88->105 103 40396a-403984 lstrcatW lstrcmpiW 89->103 104 40395f-403965 lstrcatW 89->104 106 403ae8-403af3 ExitWindowsEx 91->106 107 403adc-403ae6 91->107 92->91 97 4038e6-4038eb 93->97 98 4038ed-4038f5 93->98 97->98 99 4038f7 97->99 98->93 98->99 99->84 108 403a57 103->108 109 40398a-40398d 103->109 104->103 105->70 106->83 111 403af5-403af7 call 40140b 106->111 107->106 107->111 108->65 112 403996 call 405aeb 109->112 113 40398f-403994 call 405a6e 109->113 111->83 121 40399b-4039ab SetCurrentDirectoryW 112->121 113->121 123 4039b8-4039e4 call 40653d 121->123 124 4039ad-4039b3 call 40653d 121->124 128 4039e9-403a04 call 40657a DeleteFileW 123->128 124->123 131 403a44-403a4e 128->131 132 403a06-403a16 CopyFileW 128->132 131->128 134 403a50-403a52 call 4062fd 131->134 132->131 133 403a18-403a38 call 4062fd call 40657a call 405b20 132->133 133->131 142 403a3a-403a41 CloseHandle 133->142 134->108 142->131
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 00403550
                                                                                                                                                                                    • GetVersionExW.KERNEL32(?), ref: 00403579
                                                                                                                                                                                    • GetVersionExW.KERNEL32(0000011C), ref: 00403590
                                                                                                                                                                                    • lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403627
                                                                                                                                                                                    • #17.COMCTL32(00000007,00000009,0000000B), ref: 00403663
                                                                                                                                                                                    • OleInitialize.OLE32(00000000), ref: 0040366A
                                                                                                                                                                                    • SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 00403688
                                                                                                                                                                                    • GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 0040369D
                                                                                                                                                                                    • CharNextW.USER32(00000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S,00000020,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S,00000000), ref: 004036D6
                                                                                                                                                                                    • GetTempPathW.KERNEL32(00000400,00442800,00000000,?), ref: 00403809
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(00442800,000003FB), ref: 0040381A
                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,\Temp), ref: 00403826
                                                                                                                                                                                    • GetTempPathW.KERNEL32(000003FC,00442800,00442800,\Temp), ref: 0040383A
                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,Low), ref: 00403842
                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TEMP,00442800,00442800,Low), ref: 00403853
                                                                                                                                                                                    • SetEnvironmentVariableW.KERNEL32(TMP,00442800), ref: 0040385B
                                                                                                                                                                                    • DeleteFileW.KERNELBASE(00442000), ref: 0040386F
                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,~nsu,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S,00000000,?), ref: 00403956
                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,0040A26C,00442800,~nsu,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S,00000000,?), ref: 00403965
                                                                                                                                                                                      • Part of subcall function 00405AEB: CreateDirectoryW.KERNELBASE(?,00000000,00403520,00442800,00442800,00442800,00442800,00442800,00403810), ref: 00405AF1
                                                                                                                                                                                    • lstrcatW.KERNEL32(00442800,.tmp,00442800,~nsu,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S,00000000,?), ref: 00403970
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(00442800,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,00442800,.tmp,00442800,~nsu,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S,00000000,?), ref: 0040397C
                                                                                                                                                                                    • SetCurrentDirectoryW.KERNEL32(00442800,00442800), ref: 0040399C
                                                                                                                                                                                    • DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00436000,?), ref: 004039FB
                                                                                                                                                                                    • CopyFileW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,0042AA28,00000001), ref: 00403A0E
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403A3B
                                                                                                                                                                                    • OleUninitialize.OLE32(?), ref: 00403A5E
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403A78
                                                                                                                                                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00403A8C
                                                                                                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00403A93
                                                                                                                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA7
                                                                                                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403AC6
                                                                                                                                                                                    • ExitWindowsEx.USER32(00000002,80040002), ref: 00403AEB
                                                                                                                                                                                    • ExitProcess.KERNEL32 ref: 00403B0C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrcat$FileProcess$DirectoryExit$CurrentDeleteEnvironmentPathTempTokenVariableVersionWindows$AdjustCharCloseCommandCopyCreateErrorHandleInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesUninitializeValuelstrcmpilstrlen
                                                                                                                                                                                    • String ID: .tmp$C:\Program Files\Wildix\WIService$C:\Program Files\Wildix\WIService$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe /S$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
                                                                                                                                                                                    • API String ID: 3859024572-2667967499
                                                                                                                                                                                    • Opcode ID: e805ab00ed8521cef9d67492f65783a092b2e0cefe37e968f3c93af94c7db321
                                                                                                                                                                                    • Instruction ID: 4d4dc0a58e4858e72561def8a0259f0227da8af974c10a5ea2b310ef4b80d7a5
                                                                                                                                                                                    • Opcode Fuzzy Hash: e805ab00ed8521cef9d67492f65783a092b2e0cefe37e968f3c93af94c7db321
                                                                                                                                                                                    • Instruction Fuzzy Hash: 66E10670A00214AADB10AFB59D45BAF3AB8EF4470AF14847FF545B22D1DB7C8A41CB6D
                                                                                                                                                                                    Function 70101BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 701012BB: GlobalAlloc.KERNELBASE(00000040,?,701012DB,?,7010137F,00000019,701011CA,-000000A0), ref: 701012C5
                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 70101D2D
                                                                                                                                                                                    • lstrcpyW.KERNEL32(00000008,?), ref: 70101D75
                                                                                                                                                                                    • lstrcpyW.KERNEL32(00000808,?), ref: 70101D7F
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 70101D92
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 70101E74
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 70101E79
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 70101E7E
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 70102068
                                                                                                                                                                                    • lstrcpyW.KERNEL32(?,?), ref: 70102222
                                                                                                                                                                                    • GetModuleHandleW.KERNEL32(00000008), ref: 701022A1
                                                                                                                                                                                    • LoadLibraryW.KERNEL32(00000008), ref: 701022B2
                                                                                                                                                                                    • GetProcAddress.KERNEL32(?,?), ref: 7010230C
                                                                                                                                                                                    • lstrlenW.KERNEL32(00000808), ref: 70102326
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2541827752.0000000070101000.00000020.00000001.01000000.00000013.sdmp, Offset: 70100000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2541773117.0000000070100000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541879488.0000000070104000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541931972.0000000070106000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_70100000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 245916457-0
                                                                                                                                                                                    • Opcode ID: f1f59e31cfdb9105e240fb4a069c85d2ed5d1de962b8ecffc93a8c7ac712e678
                                                                                                                                                                                    • Instruction ID: a89d74b406d2bb05efa1ef2ad70f35350358c56b58e0d07c507a1263a252a377
                                                                                                                                                                                    • Opcode Fuzzy Hash: f1f59e31cfdb9105e240fb4a069c85d2ed5d1de962b8ecffc93a8c7ac712e678
                                                                                                                                                                                    • Instruction Fuzzy Hash: FD22BE71D0020ADFCB12CFA4C9846EEB7F8FB08315F22456EE5D6E6684E7789981DB50
                                                                                                                                                                                    Function 00405C49 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148filestringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 505 405c49-405c6f call 405f14 508 405c71-405c83 DeleteFileW 505->508 509 405c88-405c8f 505->509 510 405e05-405e09 508->510 511 405c91-405c93 509->511 512 405ca2-405cb2 call 40653d 509->512 513 405db3-405db8 511->513 514 405c99-405c9c 511->514 518 405cc1-405cc2 call 405e58 512->518 519 405cb4-405cbf lstrcatW 512->519 513->510 517 405dba-405dbd 513->517 514->512 514->513 520 405dc7-405dcf call 406873 517->520 521 405dbf-405dc5 517->521 522 405cc7-405ccb 518->522 519->522 520->510 528 405dd1-405de5 call 405e0c call 405c01 520->528 521->510 526 405cd7-405cdd lstrcatW 522->526 527 405ccd-405cd5 522->527 529 405ce2-405cfe lstrlenW FindFirstFileW 526->529 527->526 527->529 545 405de7-405dea 528->545 546 405dfd-405e00 call 40559f 528->546 530 405d04-405d0c 529->530 531 405da8-405dac 529->531 533 405d2c-405d40 call 40653d 530->533 534 405d0e-405d16 530->534 531->513 536 405dae 531->536 547 405d42-405d4a 533->547 548 405d57-405d62 call 405c01 533->548 537 405d18-405d20 534->537 538 405d8b-405d9b FindNextFileW 534->538 536->513 537->533 541 405d22-405d2a 537->541 538->530 544 405da1-405da2 FindClose 538->544 541->533 541->538 544->531 545->521 549 405dec-405dfb call 40559f call 4062fd 545->549 546->510 547->538 550 405d4c-405d55 call 405c49 547->550 558 405d83-405d86 call 40559f 548->558 559 405d64-405d67 548->559 549->510 550->538 558->538 562 405d69-405d79 call 40559f call 4062fd 559->562 563 405d7b-405d81 559->563 562->538 563->538
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,771B3420,00442800,00000000), ref: 00405C72
                                                                                                                                                                                    • lstrcatW.KERNEL32(C:\Program Files\Wildix\Outlook Integration\*.*,\*.*,C:\Program Files\Wildix\Outlook Integration\*.*,?,?,771B3420,00442800,00000000), ref: 00405CBA
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,0040A014,?,C:\Program Files\Wildix\Outlook Integration\*.*,?,?,771B3420,00442800,00000000), ref: 00405CDD
                                                                                                                                                                                    • lstrlenW.KERNEL32(?,?,0040A014,?,C:\Program Files\Wildix\Outlook Integration\*.*,?,?,771B3420,00442800,00000000), ref: 00405CE3
                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(C:\Program Files\Wildix\Outlook Integration\*.*,?,?,?,0040A014,?,C:\Program Files\Wildix\Outlook Integration\*.*,?,?,771B3420,00442800,00000000), ref: 00405CF3
                                                                                                                                                                                    • FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D93
                                                                                                                                                                                    • FindClose.KERNEL32(00000000), ref: 00405DA2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                                                                                                    • String ID: .$.$C:\Program Files\Wildix\Outlook Integration\*.*$\*.*
                                                                                                                                                                                    • API String ID: 2035342205-1577922360
                                                                                                                                                                                    • Opcode ID: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                                                                                                                                                                    • Instruction ID: 8b2ee76931e9ba666d6dc67a471f1b560bbb00ea1adf29c264b32972d7114dcf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 91e5555b9508150fcf6e55f7c9d4dc2ae8152fc7335161658e002f7252bbf59f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3D41A130900A14BADB216B65CC8DABF7678DF81714F14817FF841B21D1D77C4A819EAE
                                                                                                                                                                                    Function 00406873 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • FindFirstFileW.KERNELBASE(771B3420,004302B8,C:\,00405F5D,C:\,C:\,00000000,C:\,C:\,771B3420,?,00442800,00405C69,?,771B3420,00442800), ref: 0040687E
                                                                                                                                                                                    • FindClose.KERNELBASE(00000000), ref: 0040688A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                    • API String ID: 2295610775-3404278061
                                                                                                                                                                                    • Opcode ID: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                                                                                                                                                                    • Instruction ID: 67599a3b69382adcf67454a25bfea179debcebd0a6e2e92eb77ede12202c023a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 86d0f84efe5cb21a5e65899ed37e92679b9de560e532c409a12d624e9ae3e839
                                                                                                                                                                                    • Instruction Fuzzy Hash: C3D012325192205FC3402B386E0C84B7A989F16331726CB76B4AAF51E0D7388C7387BD
                                                                                                                                                                                    Function 00403BEC Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 215stringregistryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 143 403bec-403c04 call 40690a 146 403c06-403c16 call 406484 143->146 147 403c18-403c4f call 40640b 143->147 155 403c72-403c9b call 403ec2 call 405f14 146->155 151 403c51-403c62 call 40640b 147->151 152 403c67-403c6d lstrcatW 147->152 151->152 152->155 161 403ca1-403ca6 155->161 162 403d2d-403d35 call 405f14 155->162 161->162 163 403cac-403cc6 call 40640b 161->163 168 403d43-403d68 LoadImageW 162->168 169 403d37-403d3e call 40657a 162->169 167 403ccb-403cd4 163->167 167->162 173 403cd6-403cda 167->173 171 403de9-403df1 call 40140b 168->171 172 403d6a-403d9a RegisterClassW 168->172 169->168 186 403df3-403df6 171->186 187 403dfb-403e06 call 403ec2 171->187 174 403da0-403de4 SystemParametersInfoW CreateWindowExW 172->174 175 403eb8 172->175 177 403cec-403cf8 lstrlenW 173->177 178 403cdc-403ce9 call 405e39 173->178 174->171 180 403eba-403ec1 175->180 181 403d20-403d28 call 405e0c call 40653d 177->181 182 403cfa-403d08 lstrcmpiW 177->182 178->177 181->162 182->181 185 403d0a-403d14 GetFileAttributesW 182->185 189 403d16-403d18 185->189 190 403d1a-403d1b call 405e58 185->190 186->180 196 403e0c-403e26 ShowWindow call 40689a 187->196 197 403e8f-403e97 call 405672 187->197 189->181 189->190 190->181 204 403e32-403e44 GetClassInfoW 196->204 205 403e28-403e2d call 40689a 196->205 202 403eb1-403eb3 call 40140b 197->202 203 403e99-403e9f 197->203 202->175 203->186 208 403ea5-403eac call 40140b 203->208 206 403e46-403e56 GetClassInfoW RegisterClassW 204->206 207 403e5c-403e8d DialogBoxParamW call 40140b call 403b3c 204->207 205->204 206->207 207->180 208->186
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040690A: GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                                                                                                                                                                      • Part of subcall function 0040690A: GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                                                                                                                                                                    • lstrcatW.KERNEL32(00442000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,771B3420,00442800,?,00000000,?), ref: 00403C6D
                                                                                                                                                                                    • lstrlenW.KERNEL32(Could not replace old files!,?,?,?,Could not replace old files!,00000000,C:\Program Files\Wildix\WIService,00442000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,771B3420), ref: 00403CED
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(?,.exe,Could not replace old files!,?,?,?,Could not replace old files!,00000000,C:\Program Files\Wildix\WIService,00442000,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 00403D00
                                                                                                                                                                                    • GetFileAttributesW.KERNEL32(Could not replace old files!,?,00000000,?), ref: 00403D0B
                                                                                                                                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files\Wildix\WIService), ref: 00403D54
                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                    • RegisterClassW.USER32(00433EA0), ref: 00403D91
                                                                                                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DA9
                                                                                                                                                                                    • CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DDE
                                                                                                                                                                                    • ShowWindow.USER32(00000005,00000000,?,00000000,?), ref: 00403E14
                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403E40
                                                                                                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403E4D
                                                                                                                                                                                    • RegisterClassW.USER32(00433EA0), ref: 00403E56
                                                                                                                                                                                    • DialogBoxParamW.USER32(?,00000000,00403F9A,00000000), ref: 00403E75
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: .DEFAULT\Control Panel\International$.exe$C:\Program Files\Wildix\WIService$Control Panel\Desktop\ResourceLocale$Could not replace old files!$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
                                                                                                                                                                                    • API String ID: 1975747703-3725246504
                                                                                                                                                                                    • Opcode ID: cf3279fe7f0dcda04763d777311536b3ad8b8334462163e510e5c591121a5e62
                                                                                                                                                                                    • Instruction ID: 6cc527b2f10929733706d009ff8c1d9b21e511251dd9cb17fe62514cef47010a
                                                                                                                                                                                    • Opcode Fuzzy Hash: cf3279fe7f0dcda04763d777311536b3ad8b8334462163e510e5c591121a5e62
                                                                                                                                                                                    • Instruction Fuzzy Hash: F561A670140300BED721AF66ED46F2B3A6CEB84B5AF40453FF945B62E2CB7D59018A6D
                                                                                                                                                                                    Function 0040307D Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 181memoryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 217 40307d-4030cb GetTickCount GetModuleFileNameW call 40602d 220 4030d7-403105 call 40653d call 405e58 call 40653d GetFileSize 217->220 221 4030cd-4030d2 217->221 229 4031f0-4031fe call 403019 220->229 230 40310b 220->230 222 4032ad-4032b1 221->222 236 403200-403203 229->236 237 403253-403258 229->237 232 403110-403127 230->232 234 403129 232->234 235 40312b-403134 call 4034cf 232->235 234->235 242 40325a-403262 call 403019 235->242 243 40313a-403141 235->243 239 403205-40321d call 4034e5 call 4034cf 236->239 240 403227-403251 GlobalAlloc call 4034e5 call 4032b4 236->240 237->222 239->237 264 40321f-403225 239->264 240->237 268 403264-403275 240->268 242->237 246 403143-403157 call 405fe8 243->246 247 4031bd-4031c1 243->247 255 4031cb-4031d1 246->255 266 403159-403160 246->266 254 4031c3-4031ca call 403019 247->254 247->255 254->255 257 4031e0-4031e8 255->257 258 4031d3-4031dd call 4069f7 255->258 257->232 267 4031ee 257->267 258->257 264->237 264->240 266->255 270 403162-403169 266->270 267->229 271 403277 268->271 272 40327d-403282 268->272 270->255 273 40316b-403172 270->273 271->272 274 403283-403289 272->274 273->255 275 403174-40317b 273->275 274->274 276 40328b-4032a6 SetFilePointer call 405fe8 274->276 275->255 277 40317d-40319d 275->277 279 4032ab 276->279 277->237 280 4031a3-4031a7 277->280 279->222 281 4031a9-4031ad 280->281 282 4031af-4031b7 280->282 281->267 281->282 282->255 283 4031b9-4031bb 282->283 283->255
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040308E
                                                                                                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,00000400,?,?,?,?,?,0040387D,?), ref: 004030AA
                                                                                                                                                                                      • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                      • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00444000,00000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D), ref: 004030F6
                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,}8@,?,?,?,?,?,0040387D,?), ref: 0040322C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
                                                                                                                                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp$C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$}8@
                                                                                                                                                                                    • API String ID: 2803837635-1313478757
                                                                                                                                                                                    • Opcode ID: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                                                                                                                                                                    • Instruction ID: 750c061bb954c4555836cecba7cc54c639b148d890841a972b43b12454d44aa7
                                                                                                                                                                                    • Opcode Fuzzy Hash: b2925046ebf4ee23c20be954f21b6b8de3b8febbf6f0f410cc7df6a070a5bb34
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7951B571904204AFDB10AF65ED42B9E7EACAB48756F14807BF904B62D1C77C9F408B9D
                                                                                                                                                                                    Function 0040657A Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 196stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 569 40657a-406585 570 406587-406596 569->570 571 406598-4065ae 569->571 570->571 572 4065b0-4065bd 571->572 573 4065c6-4065cf 571->573 572->573 574 4065bf-4065c2 572->574 575 4065d5 573->575 576 4067aa-4067b5 573->576 574->573 577 4065da-4065e7 575->577 578 4067c0-4067c1 576->578 579 4067b7-4067bb call 40653d 576->579 577->576 580 4065ed-4065f6 577->580 579->578 582 406788 580->582 583 4065fc-406639 580->583 584 406796-406799 582->584 585 40678a-406794 582->585 586 40672c-406731 583->586 587 40663f-406646 583->587 588 40679b-4067a4 584->588 585->588 589 406733-406739 586->589 590 406764-406769 586->590 591 406648-40664a 587->591 592 40664b-40664d 587->592 588->576 593 4065d7 588->593 594 406749-406755 call 40653d 589->594 595 40673b-406747 call 406484 589->595 598 406778-406786 lstrlenW 590->598 599 40676b-406773 call 40657a 590->599 591->592 596 40668a-40668d 592->596 597 40664f-40666d call 40640b 592->597 593->577 610 40675a-406760 594->610 595->610 601 40669d-4066a0 596->601 602 40668f-40669b GetSystemDirectoryW 596->602 611 406672-406676 597->611 598->588 599->598 607 4066a2-4066b0 GetWindowsDirectoryW 601->607 608 406709-40670b 601->608 606 40670d-406711 602->606 612 406713-406717 606->612 613 406724-40672a call 4067c4 606->613 607->608 608->606 616 4066b2-4066ba 608->616 610->598 615 406762 610->615 611->612 614 40667c-406685 call 40657a 611->614 612->613 617 406719-40671f lstrcatW 612->617 613->598 614->606 615->613 620 4066d1-4066e7 SHGetSpecialFolderLocation 616->620 621 4066bc-4066cf 616->621 617->613 624 406705 620->624 625 4066e9-406703 SHGetPathFromIDListW CoTaskMemFree 620->625 621->606 621->620 624->608 625->606 625->624
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(Could not replace old files!,00000400), ref: 00406695
                                                                                                                                                                                    • GetWindowsDirectoryW.KERNEL32(Could not replace old files!,00000400,00000000,0042C248,?,004055D6,0042C248,00000000,00000000,00425DB7,771B23A0), ref: 004066A8
                                                                                                                                                                                    • lstrcatW.KERNEL32(Could not replace old files!,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                    • lstrlenW.KERNEL32(Could not replace old files!,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Directory$SystemWindowslstrcatlstrlen
                                                                                                                                                                                    • String ID: Could not replace old files!$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                                                                                                    • API String ID: 4260037668-3369832133
                                                                                                                                                                                    • Opcode ID: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
                                                                                                                                                                                    • Instruction ID: 685928b229c5d1fd60d609eb920d771e11fa4d776b5b66b0bad6c944a0f90ddf
                                                                                                                                                                                    • Opcode Fuzzy Hash: 71c82525ba0a65243e1f04eb87fe478d36a31e86dfe70ef8bf5ce9ddd18f012c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1D61D131900205EADB209F64DD80BAE77A5EF54318F22813BE907B72D0D77D99A1CB5D
                                                                                                                                                                                    Function 004032B4 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 166COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 627 4032b4-4032cb 628 4032d4-4032dd 627->628 629 4032cd 627->629 630 4032e6-4032eb 628->630 631 4032df 628->631 629->628 632 4032fb-403308 call 4034cf 630->632 633 4032ed-4032f6 call 4034e5 630->633 631->630 637 4034bd 632->637 638 40330e-403312 632->638 633->632 639 4034bf-4034c0 637->639 640 403468-40346a 638->640 641 403318-403361 GetTickCount 638->641 642 4034c8-4034cc 639->642 645 4034aa-4034ad 640->645 646 40346c-40346f 640->646 643 4034c5 641->643 644 403367-40336f 641->644 643->642 647 403371 644->647 648 403374-403382 call 4034cf 644->648 649 4034b2-4034bb call 4034cf 645->649 650 4034af 645->650 646->643 651 403471 646->651 647->648 648->637 660 403388-403391 648->660 649->637 661 4034c2 649->661 650->649 654 403474-40347a 651->654 655 40347c 654->655 656 40347e-40348c call 4034cf 654->656 655->656 656->637 664 40348e-40349a call 4060df 656->664 663 403397-4033b7 call 406a65 660->663 661->643 669 403460-403462 663->669 670 4033bd-4033d0 GetTickCount 663->670 671 403464-403466 664->671 672 40349c-4034a6 664->672 669->639 673 4033d2-4033da 670->673 674 40341b-40341d 670->674 671->639 672->654 677 4034a8 672->677 678 4033e2-403418 MulDiv wsprintfW call 40559f 673->678 679 4033dc-4033e0 673->679 675 403454-403458 674->675 676 40341f-403423 674->676 675->644 682 40345e 675->682 680 403425-40342c call 4060df 676->680 681 40343a-403445 676->681 677->643 678->674 679->674 679->678 687 403431-403433 680->687 685 403448-40344c 681->685 682->643 685->663 688 403452 685->688 687->671 689 403435-403438 687->689 688->643 689->685
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountTick$wsprintf
                                                                                                                                                                                    • String ID: *B$ A$ A$... %d%%$}8@
                                                                                                                                                                                    • API String ID: 551687249-3029848762
                                                                                                                                                                                    • Opcode ID: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                                                                                                                                                                    • Instruction ID: 54ab186c05730647c672001b6e56d135182c7b51176e178f40f708a1e84a381e
                                                                                                                                                                                    • Opcode Fuzzy Hash: d1cfd4714e4687a3a26bd4ac3846c46955ae89f51795138bd42b88bfc39313c7
                                                                                                                                                                                    • Instruction Fuzzy Hash: E251BD31810219EBCF11DF65DA44B9E7BB8AF05756F10827BE804BB2C1D7789E44CBA9
                                                                                                                                                                                    Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145stringtimeCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 690 40176f-401794 call 402da6 call 405e83 695 401796-40179c call 40653d 690->695 696 40179e-4017b0 call 40653d call 405e0c lstrcatW 690->696 701 4017b5-4017b6 call 4067c4 695->701 696->701 705 4017bb-4017bf 701->705 706 4017c1-4017cb call 406873 705->706 707 4017f2-4017f5 705->707 715 4017dd-4017ef 706->715 716 4017cd-4017db CompareFileTime 706->716 709 4017f7-4017f8 call 406008 707->709 710 4017fd-401819 call 40602d 707->710 709->710 717 40181b-40181e 710->717 718 40188d-4018b6 call 40559f call 4032b4 710->718 715->707 716->715 719 401820-40185e call 40653d * 2 call 40657a call 40653d call 405b9d 717->719 720 40186f-401879 call 40559f 717->720 732 4018b8-4018bc 718->732 733 4018be-4018ca SetFileTime 718->733 719->705 752 401864-401865 719->752 730 401882-401888 720->730 734 402c33 730->734 732->733 736 4018d0-4018db CloseHandle 732->736 733->736 740 402c35-402c39 734->740 737 4018e1-4018e4 736->737 738 402c2a-402c2d 736->738 741 4018e6-4018f7 call 40657a lstrcatW 737->741 742 4018f9-4018fc call 40657a 737->742 738->734 748 401901-402398 741->748 742->748 753 40239d-4023a2 748->753 754 402398 call 405b9d 748->754 752->730 755 401867-401868 752->755 753->740 754->753 755->720
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrcatW.KERNEL32(00000000,00000000,C:\Program Files\Wildix\WIService\wiservice.exe,C:\Program Files\Wildix\WIService,?,?,00000031), ref: 004017B0
                                                                                                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,C:\Program Files\Wildix\WIService\wiservice.exe,C:\Program Files\Wildix\WIService\wiservice.exe,00000000,00000000,C:\Program Files\Wildix\WIService\wiservice.exe,C:\Program Files\Wildix\WIService,?,?,00000031), ref: 004017D5
                                                                                                                                                                                      • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,00425DB7,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,00425DB7,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,00425DB7,771B23A0), ref: 004055FA
                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService$C:\Program Files\Wildix\WIService\wiservice.exe$C:\Windows\TEMP\nseA5F.tmp$C:\Windows\TEMP\nseA5F.tmp\nsExec.dll
                                                                                                                                                                                    • API String ID: 1941528284-2256265428
                                                                                                                                                                                    • Opcode ID: 4def49e1654eb24e31e7e0ccc8337252fe7285c88cb32d22f2bbeb2144da9b53
                                                                                                                                                                                    • Instruction ID: 1e3f5e060805a06bac003644be00ba5f3fef1f2c353f2d3d357c0a6c5ca497fd
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4def49e1654eb24e31e7e0ccc8337252fe7285c88cb32d22f2bbeb2144da9b53
                                                                                                                                                                                    • Instruction Fuzzy Hash: F4419371900108BACF11BFB5DD85DAE7A79EF45768B20423FF422B10E2D63C8A91966D
                                                                                                                                                                                    Function 0040689A Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 756 40689a-4068ba GetSystemDirectoryW 757 4068bc 756->757 758 4068be-4068c0 756->758 757->758 759 4068d1-4068d3 758->759 760 4068c2-4068cb 758->760 762 4068d4-406907 wsprintfW LoadLibraryExW 759->762 760->759 761 4068cd-4068cf 760->761 761->762
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                                                                                                                                                                    • wsprintfW.USER32 ref: 004068EC
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: DirectoryLibraryLoadSystemwsprintf
                                                                                                                                                                                    • String ID: %s%S.dll$UXTHEME$\
                                                                                                                                                                                    • API String ID: 2200240437-1946221925
                                                                                                                                                                                    • Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                    • Instruction ID: 21628a1c63ce2f140fdd4d546058f3b0ba52bdb51e88dcb335987c0e659eada7
                                                                                                                                                                                    • Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
                                                                                                                                                                                    • Instruction Fuzzy Hash: D0F0F671511119ABDB10BB64DD0DF9B376CBF00305F10847AA646F10D0EB7CDA68CBA8
                                                                                                                                                                                    Function 00402EA9 Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 763 402ea9-402ed2 call 4063aa 765 402ed7-402edb 763->765 766 402ee1-402ee5 765->766 767 402f8c-402f90 765->767 768 402ee7-402f08 RegEnumValueW 766->768 769 402f0a-402f1d 766->769 768->769 770 402f71-402f7f RegCloseKey 768->770 771 402f46-402f4d RegEnumKeyW 769->771 770->767 772 402f1f-402f21 771->772 773 402f4f-402f61 RegCloseKey call 40690a 771->773 772->770 774 402f23-402f37 call 402ea9 772->774 778 402f81-402f87 773->778 779 402f63-402f6f RegDeleteKeyW 773->779 774->773 781 402f39-402f45 774->781 778->767 779->767 781->771
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402EFD
                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F49
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F52
                                                                                                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F69
                                                                                                                                                                                    • RegCloseKey.ADVAPI32(?,?,?), ref: 00402F74
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseEnum$DeleteValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1354259210-0
                                                                                                                                                                                    • Opcode ID: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                                                                                                                                                                    • Instruction ID: ca6229ec891c5908b4c2d3bab14ae3db7b9396451d72a40731f1c02386a45f13
                                                                                                                                                                                    • Opcode Fuzzy Hash: 78d35a7524f1d2205fa0e87ab22fa6bfb41dfe8b1a27fd9ec563711b6eb4cb1f
                                                                                                                                                                                    • Instruction Fuzzy Hash: DA215A7150010ABBEF119F90CE89EEF7B7DEB50384F100076F909B21A0D7B49E54AA68
                                                                                                                                                                                    Function 70101817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 782 70101817-70101856 call 70101bff 786 70101976-70101978 782->786 787 7010185c-70101860 782->787 788 70101862-70101868 call 7010243e 787->788 789 70101869-70101876 call 70102480 787->789 788->789 794 701018a6-701018ad 789->794 795 70101878-7010187d 789->795 796 701018cd-701018d1 794->796 797 701018af-701018cb call 70102655 call 70101654 call 70101312 GlobalFree 794->797 798 70101898-7010189b 795->798 799 7010187f-70101880 795->799 800 701018d3-7010191c call 70101666 call 70102655 796->800 801 7010191e-70101924 call 70102655 796->801 822 70101925-70101929 797->822 798->794 802 7010189d-7010189e call 70102e23 798->802 804 70101882-70101883 799->804 805 70101888-70101889 call 70102b98 799->805 800->822 801->822 815 701018a3 802->815 810 70101890-70101896 call 70102810 804->810 811 70101885-70101886 804->811 818 7010188e 805->818 821 701018a5 810->821 811->794 811->805 815->821 818->815 821->794 825 70101966-7010196d 822->825 826 7010192b-70101939 call 70102618 822->826 825->786 828 7010196f-70101970 GlobalFree 825->828 832 70101951-70101958 826->832 833 7010193b-7010193e 826->833 828->786 832->825 834 7010195a-70101965 call 701015dd 832->834 833->832 835 70101940-70101948 833->835 834->825 835->832 837 7010194a-7010194b FreeLibrary 835->837 837->832
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 70101BFF: GlobalFree.KERNEL32(?), ref: 70101E74
                                                                                                                                                                                      • Part of subcall function 70101BFF: GlobalFree.KERNEL32(?), ref: 70101E79
                                                                                                                                                                                      • Part of subcall function 70101BFF: GlobalFree.KERNEL32(?), ref: 70101E7E
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 701018C5
                                                                                                                                                                                    • FreeLibrary.KERNEL32(?), ref: 7010194B
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 70101970
                                                                                                                                                                                      • Part of subcall function 7010243E: GlobalAlloc.KERNEL32(00000040,?), ref: 7010246F
                                                                                                                                                                                      • Part of subcall function 70102810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,70101896,00000000), ref: 701028E0
                                                                                                                                                                                      • Part of subcall function 70101666: wsprintfW.USER32 ref: 70101694
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2541827752.0000000070101000.00000020.00000001.01000000.00000013.sdmp, Offset: 70100000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2541773117.0000000070100000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541879488.0000000070104000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541931972.0000000070106000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_70100000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$Alloc$Librarywsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3962662361-3916222277
                                                                                                                                                                                    • Opcode ID: c1b2d7c78081eb97e117ed2281813a53211341d355bc1c7e60de1e403b23783d
                                                                                                                                                                                    • Instruction ID: a168c87f0e87adec69badb3562d87939ac5c8aa43e62bfe8099d119b9f66c52a
                                                                                                                                                                                    • Opcode Fuzzy Hash: c1b2d7c78081eb97e117ed2281813a53211341d355bc1c7e60de1e403b23783d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5E41C3728002059FDB019F60DC85B9D37BCBF05314F16846AFEC6AA68AEBBC9584C760
                                                                                                                                                                                    Function 0040248A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 839 40248a-4024bb call 402da6 * 2 call 402e36 846 4024c1-4024cb 839->846 847 402c2a-402c39 839->847 848 4024cd-4024da call 402da6 lstrlenW 846->848 849 4024de-4024e1 846->849 848->849 852 4024e3-4024f4 call 402d84 849->852 853 4024f5-4024f8 849->853 852->853 857 402509-40251d RegSetValueExW 853->857 858 4024fa-402504 call 4032b4 853->858 860 402522-402603 RegCloseKey 857->860 861 40251f 857->861 858->857 860->847 861->860
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\Windows\TEMP\nseA5F.tmp,00000023,00000011,00000002), ref: 004024D5
                                                                                                                                                                                    • RegSetValueExW.KERNELBASE(?,?,?,?,C:\Windows\TEMP\nseA5F.tmp,00000000,00000011,00000002), ref: 00402515
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Windows\TEMP\nseA5F.tmp,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseValuelstrlen
                                                                                                                                                                                    • String ID: C:\Windows\TEMP\nseA5F.tmp
                                                                                                                                                                                    • API String ID: 2655323295-562886656
                                                                                                                                                                                    • Opcode ID: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
                                                                                                                                                                                    • Instruction ID: a32c4fc66ba480c3aafb49ec1434dbeb720bd0d2787204a1d049ba7b64bbfaa1
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f2741e17913f4b3ae47e715a678bc9f1b76d5c80f35dbb4c6e867a5b8f0e772
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8B118E71E00119BEEF10AFA5DE49EAEBAB8FF44358F15443AF504F61C1D7B88D40AA58
                                                                                                                                                                                    Function 00405A6E Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 864 405a6e-405ab9 CreateDirectoryW 865 405abb-405abd 864->865 866 405abf-405acc GetLastError 864->866 867 405ae6-405ae8 865->867 866->867 868 405ace-405ae2 SetFileSecurityW 866->868 868->865 869 405ae4 GetLastError 868->869 869->867
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,?,00442800), ref: 00405AB1
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AC5
                                                                                                                                                                                    • SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405ADA
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AE4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ErrorLast$CreateDirectoryFileSecurity
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3449924974-0
                                                                                                                                                                                    • Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                    • Instruction ID: 637b0a295f6611997b04f2fb2f8121e2d74ae93851c1d74b8ff7b710bfe1865b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A010871D04219EAEF019BA0DD84BEFBBB4EB14314F00813AD545B6281E7789648CFE9
                                                                                                                                                                                    Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 870 4015c1-4015d5 call 402da6 call 405eb7 875 401631-401634 870->875 876 4015d7-4015ea call 405e39 870->876 878 401663-4022f6 call 401423 875->878 879 401636-401655 call 401423 call 40653d SetCurrentDirectoryW 875->879 884 401604-401607 call 405aeb 876->884 885 4015ec-4015ef 876->885 894 402c2a-402c39 878->894 879->894 896 40165b-40165e 879->896 893 40160c-40160e 884->893 885->884 890 4015f1-4015f8 call 405b08 885->890 890->884 900 4015fa-4015fd call 405a6e 890->900 897 401610-401615 893->897 898 401627-40162f 893->898 896->894 901 401624 897->901 902 401617-401622 GetFileAttributesW 897->902 898->875 898->876 905 401602 900->905 901->898 902->898 902->901 905->893
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,771B3420,?,00442800,00405C69,?,771B3420,00442800,00000000), ref: 00405EC5
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A
                                                                                                                                                                                      • Part of subcall function 00405A6E: CreateDirectoryW.KERNELBASE(?,?,00442800), ref: 00405AB1
                                                                                                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,C:\Program Files\Wildix\WIService,?,00000000,000000F0), ref: 0040164D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Program Files\Wildix\WIService, xrefs: 00401640
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext$Directory$AttributesCreateCurrentFile
                                                                                                                                                                                    • String ID: C:\Program Files\Wildix\WIService
                                                                                                                                                                                    • API String ID: 1892508949-2436880260
                                                                                                                                                                                    • Opcode ID: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
                                                                                                                                                                                    • Instruction ID: 910f9ca0e916fbda017ea5bccd1daba2d9720f9cae8b5c5670dceb894c5ef12e
                                                                                                                                                                                    • Opcode Fuzzy Hash: e89a9e6a3f09ade376d0d4b3fd71c203f5cd3ef8be9bd613e1140dffb9deb40c
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3E11D031504110EBCF216FA5CD4099F36A0EF25369B28493BE945B52F1DA3E4A829A8E
                                                                                                                                                                                    Function 00405F14 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 906 405f14-405f2f call 40653d call 405eb7 911 405f31-405f33 906->911 912 405f35-405f42 call 4067c4 906->912 913 405f8d-405f8f 911->913 916 405f52-405f56 912->916 917 405f44-405f4a 912->917 919 405f6c-405f75 lstrlenW 916->919 917->911 918 405f4c-405f50 917->918 918->911 918->916 920 405f77-405f8b call 405e0c GetFileAttributesW 919->920 921 405f58-405f5f call 406873 919->921 920->913 926 405f61-405f64 921->926 927 405f66-405f67 call 405e58 921->927 926->911 926->927 927->919
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040653D: lstrcpynW.KERNEL32(?,?,00000400,0040369D,00433F00,NSIS Error), ref: 0040654A
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,771B3420,?,00442800,00405C69,?,771B3420,00442800,00000000), ref: 00405EC5
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                      • Part of subcall function 00405EB7: CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                    • lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,771B3420,?,00442800,00405C69,?,771B3420,00442800,00000000), ref: 00405F6D
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,771B3420,?,00442800,00405C69,?,771B3420,00442800), ref: 00405F7D
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext$AttributesFilelstrcpynlstrlen
                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                    • API String ID: 3248276644-3404278061
                                                                                                                                                                                    • Opcode ID: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                                                                                                                                                                    • Instruction ID: e20fb510edeaf32ba19235dad054e15b0ffac27cf679254cac4fdbc394554759
                                                                                                                                                                                    • Opcode Fuzzy Hash: 442e1b1d96b1c23b6c0207761c3788c7dd97485575ed4e88a223653099446a7a
                                                                                                                                                                                    • Instruction Fuzzy Hash: E3F0F426119D6226DB22333A5C05EAF0554CE9276475A023BF895B12C5DB3C8A43D8AE
                                                                                                                                                                                    Function 0040640B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON
                                                                                                                                                                                    Download Yara Rule

                                                                                                                                                                                    Control-flow Graph

                                                                                                                                                                                    • Executed
                                                                                                                                                                                    • Not Executed
                                                                                                                                                                                    control_flow_graph 929 40640b-40643d call 4063aa 932 40647b 929->932 933 40643f-40646d RegQueryValueExW RegCloseKey 929->933 935 40647f-406481 932->935 933->932 934 40646f-406473 933->934 934->935 936 406475-406479 934->936 936->932 936->935
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000000,0042C248,00000000,?,?,Could not replace old files!,?,?,00406672,80000002), ref: 00406451
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,00406672,80000002,Software\Microsoft\Windows\CurrentVersion,Could not replace old files!,Could not replace old files!,Could not replace old files!,00000000,0042C248), ref: 0040645C
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • Could not replace old files!, xrefs: 00406412
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                    • String ID: Could not replace old files!
                                                                                                                                                                                    • API String ID: 3356406503-2564030382
                                                                                                                                                                                    • Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                                                                                                                    • Instruction ID: a8d415a3dc4e4479eaaa65942f717852bb8bd3539c12dad3b2e52d491ce509ba
                                                                                                                                                                                    • Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
                                                                                                                                                                                    • Instruction Fuzzy Hash: FB017C72510209AADF21CF51CC09EDB3BB8FB54364F01803AFD5AA6190D738D968DBA8
                                                                                                                                                                                    Function 0040605C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040607A
                                                                                                                                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,?,0040352B,00442000,00442800,00442800,00442800,00442800,00442800,00442800,00403810), ref: 00406095
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CountFileNameTempTick
                                                                                                                                                                                    • String ID: nsa
                                                                                                                                                                                    • API String ID: 1716503409-2209301699
                                                                                                                                                                                    • Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                    • Instruction ID: cc98cbd97bba9fac9576f26979179aa346a2ab2dc3c85b14509754d74f2b81c3
                                                                                                                                                                                    • Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
                                                                                                                                                                                    • Instruction Fuzzy Hash: CEF09076B40204FBEB00CF69ED05E9EB7BCEB95750F11803AFA05F7140E6B499648768
                                                                                                                                                                                    Function 004020D8 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402103
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,00425DB7,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,00425DB7,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,00425DB7,771B23A0), ref: 004055FA
                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402114
                                                                                                                                                                                    • FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402191
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 334405425-0
                                                                                                                                                                                    • Opcode ID: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
                                                                                                                                                                                    • Instruction ID: d1cf9917c249e547a3b1759614bc69e8b445b1996c4dbd71fd6f6dd46acd7470
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0812a69665cf11e377adb3684f8a171474585e26745252b9346dd4e1bc3f05c7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2A21C231904104FACF11AFA5CE48A9D7A71BF48358F20413BF605B91E1DBBD8A82965D
                                                                                                                                                                                    Function 0040259E Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D1
                                                                                                                                                                                    • RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E4
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Windows\TEMP\nseA5F.tmp,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Enum$CloseValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 397863658-0
                                                                                                                                                                                    • Opcode ID: 2ceb002e910c094db02aea1c2c62d66cc74a7b046aa56edd155f21af9fce9564
                                                                                                                                                                                    • Instruction ID: 08080f496e1fbaad801da7c4a2f11cdf7a22a5a493a276a89d416976773fa01e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 2ceb002e910c094db02aea1c2c62d66cc74a7b046aa56edd155f21af9fce9564
                                                                                                                                                                                    • Instruction Fuzzy Hash: 89017CB1A04105ABEB159F94DE58AAEB66CEF40348F10403AF501B61C0EBB85E44966D
                                                                                                                                                                                    Function 00405C01 Relevance: 4.5, APIs: 3, Instructions: 28fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 00406008: GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                                                                                                                                                                      • Part of subcall function 00406008: SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                                                                                                                                                                                    • RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C1C
                                                                                                                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000000,00405DE3), ref: 00405C24
                                                                                                                                                                                    • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00405C3C
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Attributes$DeleteDirectoryRemove
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1655745494-0
                                                                                                                                                                                    • Opcode ID: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                                                                                                                                                                    • Instruction ID: 0274c5225d47ddc366315f3a2fda4b694ad97aa72442a0e2fcdbaf00fd257d87
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8eed124eda4cbc8430ddba83c09443e031bc029d4ce3365f7fb32bc961faff32
                                                                                                                                                                                    • Instruction Fuzzy Hash: F4E0E53110CF9156E61457309E08F5F2AD8EF86715F05493EF892B10C0CBB848068E6A
                                                                                                                                                                                    Function 0040252A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 0040255B
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(?,?,?,C:\Windows\TEMP\nseA5F.tmp,00000000,00000011,00000002), ref: 004025FD
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseQueryValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3356406503-0
                                                                                                                                                                                    • Opcode ID: dd1b1b3d94faa584660aa564dd852358c6c0cbefcfc3417a0db06bb84b323ca4
                                                                                                                                                                                    • Instruction ID: 3e5dab0bbcc9b7b4348569693e39c51bc0b27c59e8ea0ed6abb05ebc10b9b344
                                                                                                                                                                                    • Opcode Fuzzy Hash: dd1b1b3d94faa584660aa564dd852358c6c0cbefcfc3417a0db06bb84b323ca4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5F116D71900219EADF14DFA4DA589AE77B4FF04345B20443BE401B62C0E7B88A45EB5D
                                                                                                                                                                                    Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
                                                                                                                                                                                    • SendMessageW.USER32(?,00000402,00000000), ref: 004013F4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3850602802-0
                                                                                                                                                                                    • Opcode ID: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                                                                                                                                                                    • Instruction ID: f98c5e72cab4da6dd47fcf147c12dc0649e5852bd482257a86ca63d172a8b8d6
                                                                                                                                                                                    • Opcode Fuzzy Hash: d8feea9b0bd879c8f8267a4ec85e9a32d700cac98845316580bbb569ce856791
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0B01F4316202209FE7094B389D05B6A3698E710319F14823FF851F65F1EA78DC029B4C
                                                                                                                                                                                    Function 00402434 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegDeleteValueW.KERNELBASE(00000000,00000000,00000033), ref: 00402456
                                                                                                                                                                                    • RegCloseKey.KERNELBASE(00000000), ref: 0040245F
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseDeleteValue
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2831762973-0
                                                                                                                                                                                    • Opcode ID: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
                                                                                                                                                                                    • Instruction ID: 30df5d2aec36195d54007c6df5f336708121daf1b93815cec1e8c6dbc8099d71
                                                                                                                                                                                    • Opcode Fuzzy Hash: b75d323d86fa909671316af8d9fa67dfe1c8e59de469e028d3815ce869cacf85
                                                                                                                                                                                    • Instruction Fuzzy Hash: 22F0C232A00120EBDB11ABB89B4DAED72A8AF84314F15443BE141B71C0DAFC5D01866D
                                                                                                                                                                                    Function 00405B20 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
                                                                                                                                                                                    • CloseHandle.KERNEL32(?), ref: 00405B56
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3712363035-0
                                                                                                                                                                                    • Opcode ID: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                                                                                                                                                                    • Instruction ID: 0547baa0b497a95b6ed0e8f273b1969b1ac2c9598ef2001c301bcde660c6e2d6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 4cad7792158b69fc064c933527736888f22fedd2346a68a48c9e5725d4d2403f
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3EE092B4600209BFEB10AB64AE49F7B7AACEB04704F004565BA51E61A1DB78E8158A78
                                                                                                                                                                                    Function 0040690A Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetModuleHandleA.KERNEL32(?,00000020,?,0040363D,0000000B), ref: 0040691C
                                                                                                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00406937
                                                                                                                                                                                      • Part of subcall function 0040689A: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068B1
                                                                                                                                                                                      • Part of subcall function 0040689A: wsprintfW.USER32 ref: 004068EC
                                                                                                                                                                                      • Part of subcall function 0040689A: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406900
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2547128583-0
                                                                                                                                                                                    • Opcode ID: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                                    • Instruction ID: 98bdf7d71c6046f852b78b75196177710d0a141037308efd39b2ac7baa162fea
                                                                                                                                                                                    • Opcode Fuzzy Hash: c7c26614299f557633109f7ac2ccf4e744cd73af09153470ea8035ac80f12020
                                                                                                                                                                                    • Instruction Fuzzy Hash: 9FE0867390422066D21196745D44D7773A89B99750306443EF946F2090DB38DC31A76E
                                                                                                                                                                                    Function 0040602D Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$AttributesCreate
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 415043291-0
                                                                                                                                                                                    • Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                    • Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
                                                                                                                                                                                    • Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15
                                                                                                                                                                                    Function 00406008 Relevance: 3.0, APIs: 2, Instructions: 13COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,00405C0D,?,?,00000000,00405DE3,?,?,?,?), ref: 0040600D
                                                                                                                                                                                    • SetFileAttributesW.KERNELBASE(?,00000000), ref: 00406021
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AttributesFile
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3188754299-0
                                                                                                                                                                                    • Opcode ID: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                    • Instruction ID: c979a2e86073268fb5c10017c0603d576bb262e7e1663e1e1b2ee048d1a5e24b
                                                                                                                                                                                    • Opcode Fuzzy Hash: a764032cc0ce64e7f87df91ab84dfb27e8fca44cfd77f22972d2dc2d25b91850
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34D012725041316FC2102728EF0C89BBF55EF643717014B35F9A5A22F0CB304C638A98
                                                                                                                                                                                    Function 00405AEB Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00403520,00442800,00442800,00442800,00442800,00442800,00403810), ref: 00405AF1
                                                                                                                                                                                    • GetLastError.KERNEL32 ref: 00405AFF
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CreateDirectoryErrorLast
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1375471231-0
                                                                                                                                                                                    • Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                    • Instruction ID: 33feed20cbbf131019f18849f7ccc9358209a8d33535326e0157453b6049084a
                                                                                                                                                                                    • Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1BC04C30204501AED6105B609E48B177AA4DB50741F16843D6146E41E0DA789455EE2D
                                                                                                                                                                                    Function 70102B98 Relevance: 1.6, APIs: 1, Instructions: 143registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(00000000), ref: 70102C57
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2541827752.0000000070101000.00000020.00000001.01000000.00000013.sdmp, Offset: 70100000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2541773117.0000000070100000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541879488.0000000070104000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541931972.0000000070106000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_70100000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                    • Opcode ID: 3f860d4b6c9337ab7614444fec09ca951aaec34c841dbcdfbdfc92c3118852ed
                                                                                                                                                                                    • Instruction ID: d872c96e7ed668578143946abd993c93b488a192324adf0d926ac202fc24943b
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3f860d4b6c9337ab7614444fec09ca951aaec34c841dbcdfbdfc92c3118852ed
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2241A072900204EFEB119FA5DD96B5F3778EB54358F3084AAF885C7924DA38AC84DB91
                                                                                                                                                                                    Function 004063D8 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E57,00000000,?,?), ref: 00406401
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Create
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2289755597-0
                                                                                                                                                                                    • Opcode ID: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                    • Instruction ID: ccab944935cfefb85f0e849ce69279fb55db75a3b7fb0960311cd9d36817041a
                                                                                                                                                                                    • Opcode Fuzzy Hash: f0170b29b94a961cdf0cc122a920c286c7e5b726b195fdee8f598fb45efbb6e4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 04E0E6B2010109BFEF095F90DC0AD7B3B1DE704300F01892EFD06D4091E6B5AD306675
                                                                                                                                                                                    Function 004060DF Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403498,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 004060F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileWrite
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3934441357-0
                                                                                                                                                                                    • Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                    • Instruction ID: d8d859634201a592f38c73999a999f352708a9e59580de02994c407fa40ca669
                                                                                                                                                                                    • Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
                                                                                                                                                                                    • Instruction Fuzzy Hash: FAE08C3220026AABEF109E60DC04AEB3B6CFB00360F014837FA16E7081E270E93087A4
                                                                                                                                                                                    Function 004060B0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E2,00000000,00000000,00403306,000000FF,00000004,00000000,00000000,00000000), ref: 004060C4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FileRead
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2738559852-0
                                                                                                                                                                                    • Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                    • Instruction ID: 1583d2e05e1cff28e3594e7db3f0db2d88eef65457287744bb544c492d9958e5
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
                                                                                                                                                                                    • Instruction Fuzzy Hash: AEE0EC322502AAABDF10AE65DC04AEB7B6CEB05361F018936FD16E6150E631E92197A4
                                                                                                                                                                                    Function 70102A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • VirtualProtect.KERNELBASE(7010505C,00000004,00000040,7010504C), ref: 70102A9D
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2541827752.0000000070101000.00000020.00000001.01000000.00000013.sdmp, Offset: 70100000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2541773117.0000000070100000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541879488.0000000070104000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541931972.0000000070106000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_70100000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ProtectVirtual
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 544645111-0
                                                                                                                                                                                    • Opcode ID: 0c8221571d4fc10d6159351ef15c791aa45dec0eaa31e91181f3bd785d3ec0fd
                                                                                                                                                                                    • Instruction ID: 52a03b4ee007e094559caad309f2d21580ba89987e5807a6ec7ea347b621f4d6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0c8221571d4fc10d6159351ef15c791aa45dec0eaa31e91181f3bd785d3ec0fd
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7CF0A5B2601380DED350CF2A8C6470F3FE0B708309B34A56AF1C8D6A68E7744844CFA1
                                                                                                                                                                                    Function 00405B9D Relevance: 1.5, APIs: 1, Instructions: 21windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MessageBoxIndirectW.USER32(0040A3B8), ref: 00405BF8
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: IndirectMessage
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1874166685-0
                                                                                                                                                                                    • Opcode ID: f6749a9fdd82ccfbc3f14ac88abdfcd5bd124e1eff81a320dd18a278d53e6756
                                                                                                                                                                                    • Instruction ID: 446ffac9cb85d76d76106d709d705af1d8ec63c33b2c03145d49944b74371d5c
                                                                                                                                                                                    • Opcode Fuzzy Hash: f6749a9fdd82ccfbc3f14ac88abdfcd5bd124e1eff81a320dd18a278d53e6756
                                                                                                                                                                                    • Instruction Fuzzy Hash: 57F07F715207018FC794CF58EE5465A3BF0F789314F54613AEA45A23E4D7B8A4A4CF0E
                                                                                                                                                                                    Function 004063AA Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,0042C248,?,?,00406438,0042C248,00000000,?,?,Could not replace old files!,?), ref: 004063CE
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Open
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 71445658-0
                                                                                                                                                                                    • Opcode ID: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                    • Instruction ID: 4361357c0318622cec318f667d88df30c4c29b75262f7bca7234b06b46464da2
                                                                                                                                                                                    • Opcode Fuzzy Hash: 759d75b29ffd137612e455953a298f0698f5beae901813cd77d6ec234b014f3e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 83D0123210020EBBDF115F91AD01FAB3B5DAB08310F014426FE06E40A1D775D530A764
                                                                                                                                                                                    Function 004062FD Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • MoveFileExW.KERNELBASE(?,?,00000005,00405DFB,?,00000000,000000F1,?,?,?,?,?), ref: 00406307
                                                                                                                                                                                      • Part of subcall function 00406183: CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
                                                                                                                                                                                      • Part of subcall function 00406183: GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7
                                                                                                                                                                                      • Part of subcall function 00406183: GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
                                                                                                                                                                                      • Part of subcall function 00406183: wsprintfA.USER32 ref: 00406202
                                                                                                                                                                                      • Part of subcall function 00406183: GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
                                                                                                                                                                                      • Part of subcall function 00406183: GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
                                                                                                                                                                                      • Part of subcall function 00406183: lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
                                                                                                                                                                                      • Part of subcall function 00406183: SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$NamePathShort$AllocCloseGlobalHandleMovePointerSizelstrcpywsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1930046112-0
                                                                                                                                                                                    • Opcode ID: 8f53434626867040aeaf300899a332654148b257c03f208a35692daf52d65ed0
                                                                                                                                                                                    • Instruction ID: 786f9f27e87e5c9ea407ae46cb6f26f26cce76303f9e9442b57226035b255668
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8f53434626867040aeaf300899a332654148b257c03f208a35692daf52d65ed0
                                                                                                                                                                                    • Instruction Fuzzy Hash: 4AD05232108201BECA011B40ED04A0ABBA2EB84316F11842EF599A40B0EB3280219B09
                                                                                                                                                                                    Function 004034E5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403242,?,?,?,?,?,?,0040387D,?), ref: 004034F3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FilePointer
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 973152223-0
                                                                                                                                                                                    • Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                    • Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
                                                                                                                                                                                    • Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D
                                                                                                                                                                                    Function 00401FA4 Relevance: 1.3, APIs: 1, Instructions: 37COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(0042C248,00000000,00425DB7,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrlenW.KERNEL32(00403418,0042C248,00000000,00425DB7,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                      • Part of subcall function 0040559F: lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,00425DB7,771B23A0), ref: 004055FA
                                                                                                                                                                                      • Part of subcall function 0040559F: SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                      • Part of subcall function 0040559F: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                      • Part of subcall function 00405B20: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,00000000,00000000), ref: 00405B49
                                                                                                                                                                                      • Part of subcall function 00405B20: CloseHandle.KERNEL32(?), ref: 00405B56
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FEB
                                                                                                                                                                                      • Part of subcall function 004069B5: WaitForSingleObject.KERNEL32(?,00000064), ref: 004069C6
                                                                                                                                                                                      • Part of subcall function 004069B5: GetExitCodeProcess.KERNEL32(?,?), ref: 004069E8
                                                                                                                                                                                      • Part of subcall function 00406484: wsprintfW.USER32 ref: 00406491
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2972824698-0
                                                                                                                                                                                    • Opcode ID: fa18f46a8673bca6434a5c9373a6cbc3dc8609fa07edefac18420a2ce970209b
                                                                                                                                                                                    • Instruction ID: a015d294fcb9cc4e365613bb9e09bf6e78b00889af70ee47f703a6c6056ea9c8
                                                                                                                                                                                    • Opcode Fuzzy Hash: fa18f46a8673bca6434a5c9373a6cbc3dc8609fa07edefac18420a2ce970209b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2DF09072904112EBCB21BBA59A84EDE76E8DF01318F25403BE102B21D1D77C4E429A6E
                                                                                                                                                                                    Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • Sleep.KERNELBASE(00000000), ref: 004014EA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Sleep
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3472027048-0
                                                                                                                                                                                    • Opcode ID: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
                                                                                                                                                                                    • Instruction ID: 7e4bd3fa72896d3e54e8b4d9ea8ddceac118c8145159a7c2ee745a60f6c60e84
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0247c60e4c81cd0d93bf07655b107266fb29897d22759340ec027b86c090604d
                                                                                                                                                                                    • Instruction Fuzzy Hash: 8DD0A773B141018BD704EBFCFE8545E73E8EB503293208C37D402E10D1E678C846461C
                                                                                                                                                                                    Function 701012BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNELBASE(00000040,?,701012DB,?,7010137F,00000019,701011CA,-000000A0), ref: 701012C5
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2541827752.0000000070101000.00000020.00000001.01000000.00000013.sdmp, Offset: 70100000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2541773117.0000000070100000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541879488.0000000070104000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541931972.0000000070106000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_70100000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: AllocGlobal
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3761449716-0
                                                                                                                                                                                    • Opcode ID: de1928fc4105c4969d4a8c22fa0d581eb7e29c0782c8374c6a40e065e6c971a4
                                                                                                                                                                                    • Instruction ID: 69e5f70dc1399fcced1c42d136d503452d8d56afb12a5b06eea6ef177a0b9b1c
                                                                                                                                                                                    • Opcode Fuzzy Hash: de1928fc4105c4969d4a8c22fa0d581eb7e29c0782c8374c6a40e065e6c971a4
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5AB012B2A00000DFFF008B65CD46F3D3254E704301F245010F780D0598C1604C008534

                                                                                                                                                                                    Non-executed Functions

                                                                                                                                                                                    Function 004056DE Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 0040573C
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040574B
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00405788
                                                                                                                                                                                    • GetSystemMetrics.USER32(00000002), ref: 0040578F
                                                                                                                                                                                    • SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B0
                                                                                                                                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C1
                                                                                                                                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057D4
                                                                                                                                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E2
                                                                                                                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 004057F5
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405817
                                                                                                                                                                                    • ShowWindow.USER32(?,00000008), ref: 0040582B
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040584C
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040585C
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405875
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405881
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 0040575A
                                                                                                                                                                                      • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040589E
                                                                                                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00005672,00000000), ref: 004058AC
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004058B3
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004058D7
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000008), ref: 004058DC
                                                                                                                                                                                    • ShowWindow.USER32(00000008), ref: 00405926
                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040595A
                                                                                                                                                                                    • CreatePopupMenu.USER32 ref: 0040596B
                                                                                                                                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040597F
                                                                                                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040599F
                                                                                                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059B8
                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F0
                                                                                                                                                                                    • OpenClipboard.USER32(00000000), ref: 00405A00
                                                                                                                                                                                    • EmptyClipboard.USER32 ref: 00405A06
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A12
                                                                                                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00405A1C
                                                                                                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A30
                                                                                                                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00405A50
                                                                                                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405A5B
                                                                                                                                                                                    • CloseClipboard.USER32 ref: 00405A61
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
                                                                                                                                                                                    • String ID: {
                                                                                                                                                                                    • API String ID: 590372296-366298937
                                                                                                                                                                                    • Opcode ID: f02b1789a548c21c126c9045b4544d5ada5808600bf44a06586be8ced473be55
                                                                                                                                                                                    • Instruction ID: 6b97441d6f4cfe62a880681573964a63c423f2dd70b2063085686802d9cc5617
                                                                                                                                                                                    • Opcode Fuzzy Hash: f02b1789a548c21c126c9045b4544d5ada5808600bf44a06586be8ced473be55
                                                                                                                                                                                    • Instruction Fuzzy Hash: C8B169B1900608FFDB119FA0DD85AAE7B79FB44355F00803AFA41BA1A0C7755E51DF58
                                                                                                                                                                                    Function 00404F06 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404F1E
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 00404F29
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 00404F73
                                                                                                                                                                                    • LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F8A
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000FC,00405513), ref: 00404FA3
                                                                                                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FB7
                                                                                                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FC9
                                                                                                                                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404FDF
                                                                                                                                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FEB
                                                                                                                                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404FFD
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00405000
                                                                                                                                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 0040502B
                                                                                                                                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405037
                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D2
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405102
                                                                                                                                                                                      • Part of subcall function 004044CE: SendMessageW.USER32(00000028,?,00000001,004042F9), ref: 004044DC
                                                                                                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00405116
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00405144
                                                                                                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405152
                                                                                                                                                                                    • ShowWindow.USER32(?,00000005), ref: 00405162
                                                                                                                                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 0040525D
                                                                                                                                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C2
                                                                                                                                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052D7
                                                                                                                                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004052FB
                                                                                                                                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 0040531B
                                                                                                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00405330
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00405340
                                                                                                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053B9
                                                                                                                                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 00405462
                                                                                                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405471
                                                                                                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0040549C
                                                                                                                                                                                    • ShowWindow.USER32(?,00000000), ref: 004054EA
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 004054F5
                                                                                                                                                                                    • ShowWindow.USER32(00000000), ref: 004054FC
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                                                                                                    • String ID: $M$N
                                                                                                                                                                                    • API String ID: 2564846305-813528018
                                                                                                                                                                                    • Opcode ID: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
                                                                                                                                                                                    • Instruction ID: 669472b6e39b4296dbb294a81ed98d86f32f22d8abeb4cff7518c6a892085abf
                                                                                                                                                                                    • Opcode Fuzzy Hash: dd942b7cbeaa18c8cf4828e28d43e61687b6a80dcb186ef465745c56d9013c5d
                                                                                                                                                                                    • Instruction Fuzzy Hash: EF028A70900608EFDB20DFA9DD45AAF7BB5FB84314F10817AE610BA2E0D7799942DF58
                                                                                                                                                                                    Function 00403F9A Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FD6
                                                                                                                                                                                    • ShowWindow.USER32(?), ref: 00403FF6
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404008
                                                                                                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00404021
                                                                                                                                                                                    • DestroyWindow.USER32 ref: 00404035
                                                                                                                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 0040404E
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 0040406D
                                                                                                                                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404081
                                                                                                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 00404088
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00404133
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 0040413D
                                                                                                                                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00404157
                                                                                                                                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041A8
                                                                                                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 0040424E
                                                                                                                                                                                    • ShowWindow.USER32(00000000,?), ref: 0040426F
                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 00404281
                                                                                                                                                                                    • EnableWindow.USER32(?,?), ref: 0040429C
                                                                                                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B2
                                                                                                                                                                                    • EnableMenuItem.USER32(00000000), ref: 004042B9
                                                                                                                                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D1
                                                                                                                                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042E4
                                                                                                                                                                                    • lstrlenW.KERNEL32(0042D268,?,0042D268,00000000), ref: 0040430E
                                                                                                                                                                                    • SetWindowTextW.USER32(?,0042D268), ref: 00404322
                                                                                                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 00404456
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1860320154-0
                                                                                                                                                                                    • Opcode ID: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
                                                                                                                                                                                    • Instruction ID: 19e8ffe36521fda3862950d2389d84f1ef0c133ac5ff71005f69e3a94542e2f3
                                                                                                                                                                                    • Opcode Fuzzy Hash: e7f11a10533a611f3fe78e549378f399a66bd747c21cf404ab37e5123baac86e
                                                                                                                                                                                    • Instruction Fuzzy Hash: DDC1A1B1A00704ABDB206F61EE49E2B3A68FB84746F15053EF741B61F1CB799841DB2D
                                                                                                                                                                                    Function 00404658 Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046F6
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040470A
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404727
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 00404738
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404746
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404754
                                                                                                                                                                                    • lstrlenW.KERNEL32(?), ref: 00404759
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00404766
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 0040477B
                                                                                                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 004047D4
                                                                                                                                                                                    • SendMessageW.USER32(00000000), ref: 004047DB
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404806
                                                                                                                                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404849
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00404857
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 0040485A
                                                                                                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00404873
                                                                                                                                                                                    • SetCursor.USER32(00000000), ref: 00404876
                                                                                                                                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 004048A5
                                                                                                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 004048B7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
                                                                                                                                                                                    • String ID: Could not replace old files!$N
                                                                                                                                                                                    • API String ID: 3103080414-1020492279
                                                                                                                                                                                    • Opcode ID: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                                                                                                                                                                    • Instruction ID: e0aa441e67ff77812dea5cfa76c138b5706349c0d06c8e95e02877fce1cb63d1
                                                                                                                                                                                    • Opcode Fuzzy Hash: ce357ac6e0fd4f2b4f67e04795876aef6a46bd5fea1783cb4cf669a44dc9f0f8
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1A61A3B5900209BFDB10AF60DD85E6A7BA9FB44314F00843AFB05B62D0D778A951DF98
                                                                                                                                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010CF
                                                                                                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010E4
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004010ED
                                                                                                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 00401105
                                                                                                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 00401126
                                                                                                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401130
                                                                                                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401140
                                                                                                                                                                                    • DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
                                                                                                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401160
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 00401165
                                                                                                                                                                                    • EndPaint.USER32(?,?), ref: 0040116E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                                                                                                    • String ID: F
                                                                                                                                                                                    • API String ID: 941294808-1304234792
                                                                                                                                                                                    • Opcode ID: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                                                                                                                                                                    • Instruction ID: e457e53e67a16f607b198c8be77aa7e47a8fd9e6aa67a1a07366d16d1d2d9a76
                                                                                                                                                                                    • Opcode Fuzzy Hash: 15a6b7738402934ac822911e252168026e8f0364f08849f6e110b85e8bc9718e
                                                                                                                                                                                    • Instruction Fuzzy Hash: 0E418B71800209AFCF058FA5DE459AF7FB9FF44315F04802AF991AA1A0C738AA55DFA4
                                                                                                                                                                                    Function 0040498A Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 004049D9
                                                                                                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00404A03
                                                                                                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00404AB4
                                                                                                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404ABF
                                                                                                                                                                                    • lstrcmpiW.KERNEL32(Could not replace old files!,0042D268,00000000,?,?), ref: 00404AF1
                                                                                                                                                                                    • lstrcatW.KERNEL32(?,Could not replace old files!), ref: 00404AFD
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B0F
                                                                                                                                                                                      • Part of subcall function 00405B81: GetDlgItemTextW.USER32(?,?,00000400,00404B46), ref: 00405B94
                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,*?|<>/":,00000000,00000000,771B3420,00442800,?,00403508,00442800,00442800,00403810), ref: 00406827
                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,?,?,00000000,?,00403508,00442800,00442800,00403810), ref: 00406836
                                                                                                                                                                                      • Part of subcall function 004067C4: CharNextW.USER32(?,00000000,771B3420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040683B
                                                                                                                                                                                      • Part of subcall function 004067C4: CharPrevW.USER32(?,?,771B3420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040684E
                                                                                                                                                                                    • GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 00404BD2
                                                                                                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BED
                                                                                                                                                                                      • Part of subcall function 00404D46: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                                                                                                                                                                      • Part of subcall function 00404D46: wsprintfW.USER32 ref: 00404DF0
                                                                                                                                                                                      • Part of subcall function 00404D46: SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
                                                                                                                                                                                    • String ID: A$C:\Program Files\Wildix\WIService$Could not replace old files!
                                                                                                                                                                                    • API String ID: 2624150263-292388246
                                                                                                                                                                                    • Opcode ID: a166dbd395641350e1cfd01e9a5963c0b70786fd40c7a63bf9b40c361ea88958
                                                                                                                                                                                    • Instruction ID: a81e8b8b6ddc8ea4f7a7a45a10ce21cc850824e22f7b82fba9ad49fead82d7d1
                                                                                                                                                                                    • Opcode Fuzzy Hash: a166dbd395641350e1cfd01e9a5963c0b70786fd40c7a63bf9b40c361ea88958
                                                                                                                                                                                    • Instruction Fuzzy Hash: CBA191B1900208ABDB119FA6DD45AAFB7B8EF84314F10803BF601B62D1D77C9A41CB6D
                                                                                                                                                                                    Function 00406183 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,0040631E,?,?), ref: 004061BE
                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061C7
                                                                                                                                                                                      • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                                                                                                                                                                      • Part of subcall function 00405F92: lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                                                                                                                                                                    • GetShortPathNameW.KERNEL32(?,00431108,00000400), ref: 004061E4
                                                                                                                                                                                    • wsprintfA.USER32 ref: 00406202
                                                                                                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 0040623D
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 0040624C
                                                                                                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406284
                                                                                                                                                                                    • SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062DA
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 004062EB
                                                                                                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062F2
                                                                                                                                                                                      • Part of subcall function 0040602D: GetFileAttributesW.KERNELBASE(00000003,004030BD,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00406031
                                                                                                                                                                                      • Part of subcall function 0040602D: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,?,?,0040387D,?), ref: 00406053
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
                                                                                                                                                                                    • String ID: %ls=%ls$[Rename]
                                                                                                                                                                                    • API String ID: 2171350718-461813615
                                                                                                                                                                                    • Opcode ID: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
                                                                                                                                                                                    • Instruction ID: 71978d88b6039f89b25a0dfa2ffa892efa56fbf884cfe692307f7793e751c739
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6dbc896bee28fc2cd17c6beb7c7e3b01e9a95bb407788db3ff507c40593cf796
                                                                                                                                                                                    • Instruction Fuzzy Hash: 6A314670200716BBD2207B659D48F6B3A6CEF45754F15017EFA42F62C2EA3CA821867D
                                                                                                                                                                                    Function 00404500 Relevance: 12.1, APIs: 8, Instructions: 68COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 0040451D
                                                                                                                                                                                    • GetSysColor.USER32(00000000), ref: 0040455B
                                                                                                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00404567
                                                                                                                                                                                    • SetBkMode.GDI32(?,?), ref: 00404573
                                                                                                                                                                                    • GetSysColor.USER32(?), ref: 00404586
                                                                                                                                                                                    • SetBkColor.GDI32(?,?), ref: 00404596
                                                                                                                                                                                    • DeleteObject.GDI32(?), ref: 004045B0
                                                                                                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 004045BA
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2320649405-0
                                                                                                                                                                                    • Opcode ID: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                                    • Instruction ID: 19446832cb8519ea1938040ed984131457e28e93d0b00b9b4dc42373f0e33a15
                                                                                                                                                                                    • Opcode Fuzzy Hash: f4fe220c79686689299554ac50abea47664d32920eac269e7a43003585d3568b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 382177B1500705AFCB31DF68DD08B5BBBF8AF41714B058A2EEA96B22E1C734E944CB54
                                                                                                                                                                                    Function 004026EC Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • ReadFile.KERNEL32(?,?,?,?), ref: 00402758
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402793
                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027B6
                                                                                                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027CC
                                                                                                                                                                                      • Part of subcall function 0040610E: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406124
                                                                                                                                                                                    • SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 00402878
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: File$Pointer$ByteCharMultiWide$Read
                                                                                                                                                                                    • String ID: 9
                                                                                                                                                                                    • API String ID: 163830602-2366072709
                                                                                                                                                                                    • Opcode ID: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                                                                                                                                                                    • Instruction ID: 36eba916602f65c1f8b814f2f26102ddc75cc08ed25eda7b441ea0696c55e726
                                                                                                                                                                                    • Opcode Fuzzy Hash: 05ec9e9945247294569ed32eb70c3e484d87f4f0290394ce4997a83a7f1e58dd
                                                                                                                                                                                    • Instruction Fuzzy Hash: C551E975D00219AADF20EF95CA89AAEBB79FF04304F10817BE541B62D4D7B49D82CB58
                                                                                                                                                                                    Function 70102480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 701025C2
                                                                                                                                                                                      • Part of subcall function 701012CC: lstrcpynW.KERNEL32(00000000,?,7010137F,00000019,701011CA,-000000A0), ref: 701012DC
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040), ref: 70102548
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 70102563
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2541827752.0000000070101000.00000020.00000001.01000000.00000013.sdmp, Offset: 70100000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2541773117.0000000070100000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541879488.0000000070104000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541931972.0000000070106000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_70100000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
                                                                                                                                                                                    • String ID: @H3w
                                                                                                                                                                                    • API String ID: 4216380887-4275297014
                                                                                                                                                                                    • Opcode ID: 743a7910c7a8094a402fe0cc2bd75f5d8fdc0cb175e7d3e79cc04c064fc71235
                                                                                                                                                                                    • Instruction ID: 4f6fa93ce069a609b10c4ddfd5248f19d3402029ff0d395e8394308dccbd93b6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 743a7910c7a8094a402fe0cc2bd75f5d8fdc0cb175e7d3e79cc04c064fc71235
                                                                                                                                                                                    • Instruction Fuzzy Hash: E541DDB1008309DFD7149F24DC90A6E77B8FB54310F2189ADF5CAC7A85E774A840CB61
                                                                                                                                                                                    Function 0040559F Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(0042C248,00000000,00425DB7,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000,?), ref: 004055D7
                                                                                                                                                                                    • lstrlenW.KERNEL32(00403418,0042C248,00000000,00425DB7,771B23A0,?,?,?,?,?,?,?,?,?,00403418,00000000), ref: 004055E7
                                                                                                                                                                                    • lstrcatW.KERNEL32(0042C248,00403418,00403418,0042C248,00000000,00425DB7,771B23A0), ref: 004055FA
                                                                                                                                                                                    • SetWindowTextW.USER32(0042C248,0042C248), ref: 0040560C
                                                                                                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405632
                                                                                                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040564C
                                                                                                                                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040565A
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32(Could not replace old files!,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32(Could not replace old files!,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSendlstrlen$lstrcat$TextWindow
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1495540970-0
                                                                                                                                                                                    • Opcode ID: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
                                                                                                                                                                                    • Instruction ID: 138a2a903332092674924c4fce2a37a83712bc812e9b86ab44911e1df8857bb6
                                                                                                                                                                                    • Opcode Fuzzy Hash: 195069dcc2a5024ac29c7a45bf60c8768b6efe327543dfefb6c4dd5180e0e504
                                                                                                                                                                                    • Instruction Fuzzy Hash: C1219071900558BACF11AFA9DD84DDFBF75EF45354F14803AF904B22A0C7794A419F68
                                                                                                                                                                                    Function 00404E54 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E6F
                                                                                                                                                                                    • GetMessagePos.USER32 ref: 00404E77
                                                                                                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404E91
                                                                                                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EA3
                                                                                                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404EC9
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                                                                                                    • String ID: f
                                                                                                                                                                                    • API String ID: 41195575-1993550816
                                                                                                                                                                                    • Opcode ID: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                    • Instruction ID: 177f1d0b32132a6560496663958852c5fe6f1b23f9da62007dee57caca3d7f28
                                                                                                                                                                                    • Opcode Fuzzy Hash: b2affdf3b53bee8738e3b61904ea6c87bda347b462d3853a737802ef9deed65a
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34014C71900219BADB00DBA4DD85BFFBBB8AB54711F10012BBA50B61C0D7B49A058BA5
                                                                                                                                                                                    Function 00402F93 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB1
                                                                                                                                                                                    • MulDiv.KERNEL32(01858A60,00000064,0185B4D8), ref: 00402FDC
                                                                                                                                                                                    • wsprintfW.USER32 ref: 00402FEC
                                                                                                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00402FFC
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • verifying installer: %d%%, xrefs: 00402FE6
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                                                                                                    • String ID: verifying installer: %d%%
                                                                                                                                                                                    • API String ID: 1451636040-82062127
                                                                                                                                                                                    • Opcode ID: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                                                                                                                                                                    • Instruction ID: eb17ebabde20c32bd565f0ca98bf5c3c7f8a04474e671541d9d17dad0456e96b
                                                                                                                                                                                    • Opcode Fuzzy Hash: ea3fb41b8b9d1af7e43715991a6ce4dd060937d78b5a266238e4f5c2501e20f6
                                                                                                                                                                                    • Instruction Fuzzy Hash: 20014B7064020DABEF209F60DE4AFEA3B79FB04345F008039FA06B51D0DBB999559F69
                                                                                                                                                                                    Function 70102655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                      • Part of subcall function 701012BB: GlobalAlloc.KERNELBASE(00000040,?,701012DB,?,7010137F,00000019,701011CA,-000000A0), ref: 701012C5
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 70102743
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 70102778
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2541827752.0000000070101000.00000020.00000001.01000000.00000013.sdmp, Offset: 70100000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2541773117.0000000070100000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541879488.0000000070104000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541931972.0000000070106000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_70100000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$Alloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1780285237-0
                                                                                                                                                                                    • Opcode ID: 839f3b975e04b3432aaab6d8bb26a36926db34bf45d3140f1f2db74632661563
                                                                                                                                                                                    • Instruction ID: 59cc5cde050c5cef8cc23a5a1897ca3b865628d6a66f3667e4e3236a80654a7e
                                                                                                                                                                                    • Opcode Fuzzy Hash: 839f3b975e04b3432aaab6d8bb26a36926db34bf45d3140f1f2db74632661563
                                                                                                                                                                                    • Instruction Fuzzy Hash: 433100B2604101EFD7268F65CCC8D6E77BAFB9A30073151ACF6C297A24D7716C049B61
                                                                                                                                                                                    Function 00402950 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B1
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029CD
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 00402A06
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402A19
                                                                                                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A35
                                                                                                                                                                                    • DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A48
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$AllocFree$CloseDeleteFileHandle
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2667972263-0
                                                                                                                                                                                    • Opcode ID: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                                                                                                                                                                    • Instruction ID: 8fc1a79e9ee36ebd610a2d663d7387b5f1fea8f48d7bc9e01940cd119f3fb53c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 18333e3c7c5edca9258600c879c391e4e8cb8a080c4e0dd56f257e0fabcb70bb
                                                                                                                                                                                    • Instruction Fuzzy Hash: 5831C271D00124BBCF216FA9CE49DDEBE79AF49364F14023AF450762E0CB794C429BA8
                                                                                                                                                                                    Function 004067C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,00000000,771B3420,00442800,?,00403508,00442800,00442800,00403810), ref: 00406827
                                                                                                                                                                                    • CharNextW.USER32(?,?,?,00000000,?,00403508,00442800,00442800,00403810), ref: 00406836
                                                                                                                                                                                    • CharNextW.USER32(?,00000000,771B3420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040683B
                                                                                                                                                                                    • CharPrevW.USER32(?,?,771B3420,00442800,?,00403508,00442800,00442800,00403810), ref: 0040684E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Char$Next$Prev
                                                                                                                                                                                    • String ID: *?|<>/":
                                                                                                                                                                                    • API String ID: 589700163-165019052
                                                                                                                                                                                    • Opcode ID: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                                    • Instruction ID: 8e05d213a2b26a47bd0c986db1e6a85e10b5e067f284fb5e9645f7af11a9ce3c
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7f8a10c6574f84f045d99a2f2ba91d71661da1c9dbe2055a6f375f6d39957bd5
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7311862780161295DB313B158C44A77A2A8AF58798F56843FED86B32C1E77C8C9282AD
                                                                                                                                                                                    Function 70101979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2541827752.0000000070101000.00000020.00000001.01000000.00000013.sdmp, Offset: 70100000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2541773117.0000000070100000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541879488.0000000070104000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541931972.0000000070106000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_70100000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: FreeGlobal
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2979337801-0
                                                                                                                                                                                    • Opcode ID: cdd95bc4b556a131088d92b1125c621773c39ef198b6080e8ffdd53e2bf88ced
                                                                                                                                                                                    • Instruction ID: 78a7f4fabbfe9c7b9bc53f221451849940109ef5bd829093fcf068f750fba334
                                                                                                                                                                                    • Opcode Fuzzy Hash: cdd95bc4b556a131088d92b1125c621773c39ef198b6080e8ffdd53e2bf88ced
                                                                                                                                                                                    • Instruction Fuzzy Hash: 1C51B332E00118EECB129FA4C8806AEBBBAFB44354F63815DE4C6A3714F77DAD458791
                                                                                                                                                                                    Function 00401D81 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDlgItem.USER32(?,?), ref: 00401D9A
                                                                                                                                                                                    • GetClientRect.USER32(?,?), ref: 00401DE5
                                                                                                                                                                                    • LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E15
                                                                                                                                                                                    • SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E29
                                                                                                                                                                                    • DeleteObject.GDI32(00000000), ref: 00401E39
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1849352358-0
                                                                                                                                                                                    • Opcode ID: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                                                                                                                                                                    • Instruction ID: b69f8f45c5cbb28dd5603d9b1d667d2ce3d3910c133b75fee4ecc707c572ca23
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0d14a93a4aa2f7ddc0f91d11ffebc05af74b5a93feb44974f4da7284e64bbe2b
                                                                                                                                                                                    • Instruction Fuzzy Hash: 3321F672904119AFCB05DBA4DE45AEEBBB5EF08314F14003AFA45F62A0DB389951DB98
                                                                                                                                                                                    Function 00401E4E Relevance: 7.5, APIs: 5, Instructions: 43COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GetDC.USER32(?), ref: 00401E51
                                                                                                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E6B
                                                                                                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00401E73
                                                                                                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00401E84
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrcatW.KERNEL32(Could not replace old files!,\Microsoft\Internet Explorer\Quick Launch), ref: 0040671F
                                                                                                                                                                                      • Part of subcall function 0040657A: lstrlenW.KERNEL32(Could not replace old files!,00000000,0042C248,?,004055D6,0042C248,00000000), ref: 00406779
                                                                                                                                                                                    • CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED3
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CapsCreateDeviceFontIndirectReleaselstrcatlstrlen
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2584051700-0
                                                                                                                                                                                    • Opcode ID: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
                                                                                                                                                                                    • Instruction ID: 78b13ae86a0973dc2b43aa2eb6c1af0beb3c1ef463c522f55250376beecb9f8a
                                                                                                                                                                                    • Opcode Fuzzy Hash: 7613f5a947f4bbf8195753a17fba9eaca46e1d6fc564812dac8d5fa739d0f051
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7001B571904241EFEB005BB0EE49B9A3FB4BB15301F108A39F541B71D2C7B904458BED
                                                                                                                                                                                    Function 701016BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,701022D8,?,00000808), ref: 701016D5
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,701022D8,?,00000808), ref: 701016DC
                                                                                                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,701022D8,?,00000808), ref: 701016F0
                                                                                                                                                                                    • GetProcAddress.KERNEL32(701022D8,00000000), ref: 701016F7
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 70101700
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2541827752.0000000070101000.00000020.00000001.01000000.00000013.sdmp, Offset: 70100000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2541773117.0000000070100000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541879488.0000000070104000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541931972.0000000070106000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_70100000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1148316912-0
                                                                                                                                                                                    • Opcode ID: 97caa9938bf537658c5ae55a5eed360384f9da1d46618ce8943c8e00033b38ba
                                                                                                                                                                                    • Instruction ID: 2d1e6195e4762af1bddee308612a3a0a875f050c416285c16ab8e8fe080cdde4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 97caa9938bf537658c5ae55a5eed360384f9da1d46618ce8943c8e00033b38ba
                                                                                                                                                                                    • Instruction Fuzzy Hash: EBF0A2731061387BD62117A78C4CDDB7E9CDF8B2F5B110225F758A15A485615D01D7F1
                                                                                                                                                                                    Function 00401C43 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB3
                                                                                                                                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CCB
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: MessageSend$Timeout
                                                                                                                                                                                    • String ID: !
                                                                                                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                                                                                                    • Opcode ID: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                                                                                                                                                                    • Instruction ID: 549e056fbb7746b1afa8e7352ee9f1cbf83a3633853e14f9ff1f16dc1dd81c22
                                                                                                                                                                                    • Opcode Fuzzy Hash: 56378305e9cef062e59ac21505f1e4874eb63478d5e018d68d94a8de4df44513
                                                                                                                                                                                    • Instruction Fuzzy Hash: 46219C7190420AAFEF05AFA4D94AAAE7BB4FF84304F14453EF601B61D0D7B88941CB98
                                                                                                                                                                                    Function 00404D46 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DE7
                                                                                                                                                                                    • wsprintfW.USER32 ref: 00404DF0
                                                                                                                                                                                    • SetDlgItemTextW.USER32(?,0042D268), ref: 00404E03
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                                                                                                    • String ID: %u.%u%s%s
                                                                                                                                                                                    • API String ID: 3540041739-3551169577
                                                                                                                                                                                    • Opcode ID: 8eaa60c285ed2ca3ba3cc070ccd72c3506245c9ef86633ed67cf81484c09c26b
                                                                                                                                                                                    • Instruction ID: d7f2b51e3f2153b105aad6c1cbcae815e44f670c765de83d30fbb221df5484fa
                                                                                                                                                                                    • Opcode Fuzzy Hash: 8eaa60c285ed2ca3ba3cc070ccd72c3506245c9ef86633ed67cf81484c09c26b
                                                                                                                                                                                    • Instruction Fuzzy Hash: AC11D573A041283BDB10656DAC45E9E369CAF81334F254237FA66F21D1EA78D91182E8
                                                                                                                                                                                    Function 00405EB7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • CharNextW.USER32(?,?,C:\,?,00405F2B,C:\,C:\,771B3420,?,00442800,00405C69,?,771B3420,00442800,00000000), ref: 00405EC5
                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405ECA
                                                                                                                                                                                    • CharNextW.USER32(00000000), ref: 00405EE2
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharNext
                                                                                                                                                                                    • String ID: C:\
                                                                                                                                                                                    • API String ID: 3213498283-3404278061
                                                                                                                                                                                    • Opcode ID: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                                                                                                                                                                                    • Instruction ID: b7f7aa27055ddc775a1b47344aef2f77b81fec2ea34db2f3ccdabfa21b6bce3d
                                                                                                                                                                                    • Opcode Fuzzy Hash: 389604e099afbb0f1c733809242fd9884b65eb47018f1a61235cb76474637dc7
                                                                                                                                                                                    • Instruction Fuzzy Hash: 7BF0F631810E1296DB317B548C44E7B97BCEB64354B04843BD741B71C0D3BC8D808BDA
                                                                                                                                                                                    Function 701010E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 70101171
                                                                                                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 701011E3
                                                                                                                                                                                    • GlobalFree.KERNEL32 ref: 7010124A
                                                                                                                                                                                    • GlobalFree.KERNEL32(?), ref: 7010129B
                                                                                                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 701012B1
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2541827752.0000000070101000.00000020.00000001.01000000.00000013.sdmp, Offset: 70100000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2541773117.0000000070100000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541879488.0000000070104000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2541931972.0000000070106000.00000002.00000001.01000000.00000013.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_70100000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Global$Free$Alloc
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 1780285237-0
                                                                                                                                                                                    • Opcode ID: 6576a61482b283660ba918af680e2c3bc8c7a979b7008fc2052dd84841aa173a
                                                                                                                                                                                    • Instruction ID: 76f926542057f492babb38cf94d486a925e2e82557122867ccbabe046d341cf4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 6576a61482b283660ba918af680e2c3bc8c7a979b7008fc2052dd84841aa173a
                                                                                                                                                                                    • Instruction Fuzzy Hash: F6516DB69002059FD701CF69C899A5E77B8FB08315B224129FAC6DBB64FB79A9108B50
                                                                                                                                                                                    Function 0040263E Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(C:\Windows\TEMP\nseA5F.tmp\nsExec.dll), ref: 00402695
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen
                                                                                                                                                                                    • String ID: C:\Windows\TEMP\nseA5F.tmp$C:\Windows\TEMP\nseA5F.tmp\nsExec.dll
                                                                                                                                                                                    • API String ID: 1659193697-3046132440
                                                                                                                                                                                    • Opcode ID: fbd5ee5e4de60feb08ffa62b35b3018c7a91bb86716aa8782bbd76b946f17d50
                                                                                                                                                                                    • Instruction ID: edf8e5a6553ae7ef136857fb61bcac29e22bbc78049b19fa22ca3c34260198f3
                                                                                                                                                                                    • Opcode Fuzzy Hash: fbd5ee5e4de60feb08ffa62b35b3018c7a91bb86716aa8782bbd76b946f17d50
                                                                                                                                                                                    • Instruction Fuzzy Hash: 2611EB71A00215BBCB10BFB18E4AAAE7665AF40744F25443FE002B71C2EAFC8891565E
                                                                                                                                                                                    Function 00403019 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • DestroyWindow.USER32(00000000,00000000,004031F7,00000001,?,?,?,?,?,0040387D,?), ref: 0040302C
                                                                                                                                                                                    • GetTickCount.KERNEL32 ref: 0040304A
                                                                                                                                                                                    • CreateDialogParamW.USER32(0000006F,00000000,00402F93,00000000), ref: 00403067
                                                                                                                                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,?,?,0040387D,?), ref: 00403075
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 2102729457-0
                                                                                                                                                                                    • Opcode ID: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                                                                                                                                                                    • Instruction ID: 3364d2369d767f53e7c05e99e54cbc9c067443d5da9c9f227d7c3a258cba7bb7
                                                                                                                                                                                    • Opcode Fuzzy Hash: a982ea5e0a4ecb993fc2e9b794e4afe077943b4b771bcbca33e5c7758572dd30
                                                                                                                                                                                    • Instruction Fuzzy Hash: A9F08270702A20AFC2316F50FE4998B7F68FB44B56741447AF446B15ACCB380DA2CB9D
                                                                                                                                                                                    Function 00405513 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • IsWindowVisible.USER32(?), ref: 00405542
                                                                                                                                                                                    • CallWindowProcW.USER32(?,?,?,?), ref: 00405593
                                                                                                                                                                                      • Part of subcall function 004044E5: SendMessageW.USER32(00000000,00000000,00000000,00000000), ref: 004044F7
                                                                                                                                                                                    Strings
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 3748168415-3916222277
                                                                                                                                                                                    • Opcode ID: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                                                                                                                                                                    • Instruction ID: 904a7c61355239921aaa7855b64c86422fca6e8886f64d9e6fcbc6a993ea73ec
                                                                                                                                                                                    • Opcode Fuzzy Hash: 0dea828d0dd479423763887dac230e90f27d8b8ae518018479b0ad82d517bb95
                                                                                                                                                                                    • Instruction Fuzzy Hash: F3017CB1100608BFDF209F11DD80AAB3B27EB84754F50453AFA01762D5D77A8E92DA69
                                                                                                                                                                                    Function 00405E58 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenW.KERNEL32(80000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,004030E9,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003,?,?,?,?,?,0040387D,?), ref: 00405E5E
                                                                                                                                                                                    • CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,004030E9,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp\SetupWIService.exe,80000000,00000003), ref: 00405E6E
                                                                                                                                                                                    Strings
                                                                                                                                                                                    • C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp, xrefs: 00405E58
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: CharPrevlstrlen
                                                                                                                                                                                    • String ID: C:\Users\user~1\AppData\Local\Temp\nsn4886.tmp
                                                                                                                                                                                    • API String ID: 2709904686-4128723618
                                                                                                                                                                                    • Opcode ID: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                                    • Instruction ID: d2786f61c86b799b8b6ecf14661ff9643eaf9d362a95097130d0805b1e4d2bc4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 176def5b2db9ef34a9f22db2929791273b03e08e07d7b66f37effa829582f156
                                                                                                                                                                                    • Instruction Fuzzy Hash: 36D0A7B3410D20DAC3126718DC04DAF73ECFF6134074A442AF481A71A4D7785E8186ED
                                                                                                                                                                                    Function 00405F92 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                                                                    Download Yara Rule
                                                                                                                                                                                    APIs
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FA2
                                                                                                                                                                                    • lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FBA
                                                                                                                                                                                    • CharNextA.USER32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FCB
                                                                                                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00406277,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FD4
                                                                                                                                                                                    Memory Dump Source
                                                                                                                                                                                    • Source File: 00000014.00000002.2539113736.0000000000401000.00000020.00000001.01000000.0000000E.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                                                                    • Associated: 00000014.00000002.2539016846.0000000000400000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539216998.0000000000408000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000040A000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.000000000042F000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000431000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000437000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000440000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539309314.0000000000443000.00000004.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    • Associated: 00000014.00000002.2539945012.0000000000457000.00000002.00000001.01000000.0000000E.sdmpDownload File
                                                                                                                                                                                    Joe Sandbox IDA Plugin
                                                                                                                                                                                    • Snapshot File: hcaresult_20_2_400000_SetupWIService.jbxd
                                                                                                                                                                                    Similarity
                                                                                                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                                                                                                    • String ID:
                                                                                                                                                                                    • API String ID: 190613189-0
                                                                                                                                                                                    • Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                    • Instruction ID: bd09551308ad338638525116890fdadd4ab1f465f5503068af61de479685a4e4
                                                                                                                                                                                    • Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
                                                                                                                                                                                    • Instruction Fuzzy Hash: 34F0C231604418FFC7029BA5CD0099EBBA8EF06250B2140AAF840FB210D678DE019BA9